@v4 This is a risk with any application, and NodeBB is no exception. Think "zero-day exploits" and applications which accidentally let someone "break out" of the environment. It's obviously something we patch and code against, but finding them is often another matter
We maintain an email specifically for handling these issues: firstname.lastname@example.org. If you've located an exploit vector, email use privately there, and we'll get it fixed up!