If you discover a security vulnerability, please report it privately:
- Do NOT open a public GitHub issue
- Use GitHub's private vulnerability reporting feature
- Include: description, reproduction steps, and impact assessment
We aim to respond within 48 hours and release a fix within 7 days for critical issues.
- Command injection via config values
- Privilege escalation during install
- Unsafe temporary file handling
- Supply chain risks in default template URLs