Please do not open GitHub issues or pull requests - this makes the problem immediately visible to everyone, including malicious actors.
Security issues in this open-source project can be safely reported to Zote's Vulnerability Disclosure Program. Zotes security team will triage your report and respond according to its impact.