Łukasz Gruszczelak

Hello, CERT PL has sent you a report on 23rd of November and resent it on 18th of December. Have you received any of them?

We are aware that this code is not meant to be deployed. However, in a limited scope that vulnerability still poses a risk - when a user runs cruddiy locally...

Hi, any updates on that? We would like to proceed with assigning a CVE for that vulnerability

Hi, CERT PL has performed a broad vulnerability scan of open source projects and that one was tested as well. Different ways of handling such reports are possible, it depends...

We just searched for popular projects on GH and performed a relatively shallow check on them. Surely the scan was not intended to find all possible vulnerabilities, so other ones...

Thanks @s-martin for correcting the version, I must admit getting a bit confused by the branching strategy ;-)