Please report security vulnerabilities by email to one of the maintainers, with Subject containing users_picker substring. If there was no reply in 24 hours, then create an Issue, without technical details, to inform about previously sent mail.