Refer to our Community Security Response.

Even though this is a fork, it would be best to disclose potential security vulnerabilities via the guidelines linked above. Please don't just open an issue, since that can cause other headaches... I'm not generally a fan of secrecy, but security embargoes are a real (important) thing.