Security fixes are applied to the current development branch until formal release channels are established.

Do not open public issues for suspected vulnerabilities.

Report security concerns privately through GitHub private vulnerability reporting when available, or contact the repository owner directly. Include:

• affected component and version or commit
• steps to reproduce
• expected and actual impact
• any proof-of-concept details needed to validate the issue

We aim to acknowledge valid reports promptly and coordinate disclosure based on severity, exploitability, and available mitigations.

Security reports are especially relevant for authentication, authorization, CSRF protection, API token handling, local SCGI exposure, path handling, container/runtime hardening, dependency vulnerabilities, and WebSocket behavior.