Hello Vincent, thank you for the report. I contacted upstream on a non-public channel and asked for judgment.
Next time when you mean to notice a security issue please do not postit in public somewhere. Every project has channels to submit security issues.
Regards, Christian
