thaumiel is pre-1.0; only the latest release receives security fixes.
Report vulnerabilities privately through GitHub's Report a vulnerability form — please do not open a public issue.
Once resolved, a fix will be released and the advisory disclosed.