This project is under active development. Security fixes are applied to the
latest released version on the main branch.
| Version | Supported |
|---|---|
main (latest) |
✅ |
| older tags | ❌ |
Please do not report security vulnerabilities through public GitHub issues, discussions, or pull requests.
Instead, report them privately using GitHub's private vulnerability reporting:
- Go to the "Security" tab of this repository.
- Click "Report a vulnerability" and fill in the advisory form.
Please include as much of the following as you can:
- The type of issue (e.g. SQL injection, authentication bypass, secret exposure, SSRF).
- The affected component and file path(s) / endpoint(s).
- Step-by-step instructions to reproduce, and a proof-of-concept if possible.
- The potential impact.
- We aim to acknowledge a report within a few business days.
- We will work with you to understand and validate the issue, and keep you informed of progress.
- Once a fix is ready, we will coordinate disclosure and credit you (if you wish).
- Change all default credentials before exposing an instance (e.g. the seeded
admin@integration.local/admin123demo account and any demo SFTP/API keys). - Set a strong
AUTH_JWT_SECRETand never commit real.envfiles. - Store connection credentials and API keys only in your own environment — never in the repository.