Currently, the following versions of FeedrStream are supported with security updates:

Security is a high priority for FeedrStream, especially since it acts as a proxy for media streams and handles incoming network requests.

If you discover a security vulnerability within FeedrStream, please DO NOT open a public issue.

Instead, please report it privately via GitHub Private Vulnerability Reporting:

1. Go to the repository on GitHub.
2. Click Security → Advisories → Report a vulnerability.

This ensures the report is visible only to maintainers until a fix is released.

We will try to acknowledge receipt of the vulnerability within 48 hours and work on patching it promptly. When the patch is ready, we will release an updated GHCR image and a GitHub security advisory.

We are mostly concerned with:

• Remote Code Execution (RCE) via yt-dlp or ffmpeg commands.
• Directory Traversal or Server-Side Request Forgery (SSRF) in the /api/proxy pathways.
• SQL Injection in the SQLite database layer.

Since FeedrStream is designed as a single-user, self-hosted application placed behind a reverse proxy, issues regarding missing session authentication in the frontend/backend are considered standard behavior and are not classified as security vulnerabilities.