It might be affected by the recent coppermine vulnerability, see bug #103357.
CC'ing Sejo explicitly to advise.
I suppose the new "Certified Secure" 9.0.6.1 version fixes the Coppermine thing. In the Changelog: # Bug: Fixed cookies for coppermine sejo: please check and bump
Ccing web-apps herd as sejo is apparently missing.
I'm back and bumped the release so sec issue should be fixed...
Thx Jochen. ~ -> Closing without GLSA.