Mini CMS is pre-1.0 software. Security fixes target the latest version on main and the latest tagged beta release when practical.
Please do not open a public issue for a suspected security vulnerability.
Report privately by contacting the project maintainer through the security contact listed on the repository. Include:
- A clear description of the vulnerability
- Steps to reproduce
- Impact and affected routes or files
- Any suggested mitigation
Do not include real secrets, customer data, production database files, or private server information in reports.
Production deployments must:
- Set
APP_ENV=production - Set
APP_DEBUG=false - Use HTTPS
- Keep
.envoutside the public web root - Keep
database/database.sqliteoutside the public web root - Change default/demo admin credentials
- Restrict admin users through roles and permissions
- Block executable uploads
See SECURITY_PRODUCTION.md for the full production checklist.