Security vulnerabilities can be reported privately via GitHub at https://github.com/davidcarlisle/latexcgi/security. Using this mechanism means that the potential issue does not show in the public issues list, and will chance to review the report before it is made public.