Latest major version in terms of semantic versioning is supported.

Security issues are a special case. If you find a security hole in a YOURLS project, disclosing it to the public with opening an issue is not the ideal.

Make 100% sure it is a security hole (same process as bug reports) but instead of opening an issue, send an email to yourls@yourls.org.