Warning : Please do not create GitHub issues for security vulnerabilities.
WSO2 takes security issues very seriously. If you have any concerns regarding our product security or have uncovered a security vulnerability, we strongly encourage you to report that to our private and highly confidential security mailing list: security@wso2.com first, without disclosing them in any forums, sites, or other groups - public or private. To protect the end-user security, these issues could be disclosed in other places only after WSO2 completes its Vulnerability Management Process.
WSO2 guidelines for reporting a security vulnerability page describes how to report a Security Vulnerability and includes a public key if you wish to send secure messages to security@wso2.com