If you discover a security issue, please report it privately first.

• Do not open a public issue for active vulnerabilities.
• Provide impact summary, reproduction steps, and affected versions.

We will acknowledge reports and provide mitigation guidance as soon as possible.