If you've found a security issue in altacv — for example, a way for a malicious cv dict to escape into shell execution, exfiltrate environment data via the rendered PDF, or otherwise compromise the host running typst compile — please do not open a public issue.

Instead, open a private report via GitHub Security Advisories. I'll acknowledge within a few days and work with you on a fix.

altacv is a Typst template — it renders user-supplied data to PDF/HTML. The most realistic attack surface is malicious input crafted to exploit a typst runtime bug; please report those upstream at typst/typst. Issues specific to this template (e.g. an icon lookup that reads outside icons/, or a label string that is interpreted unsafely) are in scope here.

Only the most recent published release on Typst Universe receives fixes.