Please do not open a public issue for security vulnerabilities.
Instead, use GitHub's private vulnerability reporting on the affected repository: go to the Security tab → Report a vulnerability. This opens a private advisory visible only to you and the maintainer, and lets us coordinate a fix and disclosure timeline before any details go public.
If a repository doesn't have private reporting enabled, report the issue via
GitHub Security Advisories
on this .github repo instead, and it will be routed to the correct project.
Unless stated otherwise in a specific repository's README, only the latest released version of each project receives security fixes.