If you believe you may have discovered a security issue with Backdrop CMS, please contact the Backdrop Security Team directly at security@backdropcms.org. In order to keep everyone safe, we manage security issues separately in a private repository. So please refrain from publicly blogging, or tweeting about it until the issue has been resolved.