Please ensure that you are using a supported version.
Distribution packages are usually outdated and full of vulnerabilities.
For a general overview, please first read security considerations as it pervades the architecture of the software.
We understand and accept that some researchers prefer full-disclosure, but we would prefer to have a heads up prior to the release of the vulnerability details.
Critical bugs are usually fixed (if reproducible) within hours, rather than days or weeks. Though making a new release does take a little bit longer. Even more so for vulnerabilities.
Please contact security@xpra.org