This is a client-side Unity UI library with no network, storage, or authentication surface of its own. The realistic risk area is a malformed asset (for example an SVG or UXML) that crashes the Unity importer or the runtime.
Please report anything you believe is exploitable privately, not as a public issue:
- Open a private advisory via the repository's Security tab (Report a vulnerability), or
- Reach out to @sinanata.
I will acknowledge the report and, if it is valid, fix it on main and credit you unless you prefer otherwise.
The latest release on main is the only supported version. Fixes land there first.