Please do not open a public GitHub issue for security vulnerabilities.
Report them privately via GitHub Security Advisories or by emailing the maintainer directly (see the GitHub profile).
Include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or a proof-of-concept
- Affected versions
You can expect an acknowledgement within 72 hours and a fix or mitigation plan within 14 days for confirmed issues.
This project handles:
- Planka API tokens passed as Bearer credentials
- OAuth authorization codes (PKCE flow, signed with
CODE_SECRET) - Per-card metadata stored in a local PostgreSQL database
Secrets are never logged or stored beyond their intended purpose.
CODE_SECRET and Planka tokens are not persisted after use.