Only the latest release is supported with security updates.
Please do not report security vulnerabilities through public GitHub issues.
Instead, please use GitHub Private Vulnerability Reporting to submit a report.
You should receive a response within 7 days. If the vulnerability is confirmed, a fix will be released as soon as possible.
Reports related to the following are in scope:
- Unauthorized file access or path traversal
- Cross-site scripting (XSS) via rendered Markdown
- Authentication or authorization bypass on the local server
- Remote code execution
The --dangerously-allow-remote-access flag intentionally disables access restrictions. Vulnerabilities that require this flag to be enabled are generally out of scope, as the flag name itself signals the associated risk.