Only the latest released version of MkDocs-NG receives security fixes.

Please do not report security vulnerabilities through public GitHub issues.

To report a vulnerability, please use GitHub Private Security Advisories.

You can expect:

• Acknowledgement within 48 hours
• A fix or mitigation plan within 7 days for critical issues
• Credit in the release notes (unless you prefer to remain anonymous)

Issues that are considered in scope:

• Remote code execution
• Arbitrary file read/write during build
• Path traversal vulnerabilities
• Template injection

Issues that are out of scope:

• Vulnerabilities in generated static HTML output (the user controls the content)
• Issues requiring a malicious mkdocs.yml authored by the site owner themselves