If you have discovered a security issue with Backdrop CMS, please contact the Backdrop Security Team directly at security@backdropcms.org. We manage security issues separately in a private repository until the issue has been resolved. Even if you're not sure if it's a security problem, please contact the security team before filing an issue, blogging, or tweeting about it.