1.xreceives security updates.
Please report vulnerabilities privately first.
Include:
- affected component
- reproduction steps
- impact assessment
- suggested mitigation (if available)
Do not open a public issue for unpatched critical vulnerabilities.
- Plugin host isolation and permission bypasses
- Command injection in MCP / plugin execution
- Local data exposure in RAG and file engine
- Remote API credential leakage