Skip to content

[Security] Responsible Disclosure - Security Vulnerability Found #4067

Closed
Closed
[Security] Responsible Disclosure - Security Vulnerability Found#4067
Labels
bug

Description

@Astaruf
Astaruf
opened on Mar 30, 2026

Environment

Hi,

I have identified a security vulnerability in MagicMirror² that could affect users running the application in server mode (exposed to a network).

I'd like to follow responsible disclosure practices and share the details privately before any public release.

Could you please:

I will keep the details private until a fix is available or 90 days have passed (whichever comes first), in line with standard responsible disclosure timelines.

Thank you.

Which start option are you using?

node --run start

Are you using PM2?

No

Module

None

Have you tried disabling other modules?

  • Yes
  • No

Have you searched if someone else has already reported the issue on the forum or in the issues?

  • Yes

What did you do?

Found a security vulnerability

What did you expect to happen?

Enable https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability on this repository.
OR
Possibility to share vulnerability details privately.

What actually happened?

n/a

Additional comments

No response

Participation

  • I am willing to submit a pull request for this change.

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions