@v4 This is a risk with any application, and NodeBB is no exception. Think "zero-day exploits" and applications which accidentally let someone "break out" of the environment. It's obviously something we patch and code against, but finding them is often another matter 🙂
We maintain an email specifically for handling these issues: email@example.com. If you've located an exploit vector, email use privately there, and we'll get it fixed up!