cephctl uses trunk-based development model with periodic semver releases marked against master branch right when the target feature is completed for particular milestone. Which means the most recent release is considered stable, secure and contains all the most recent features.
To make a report please use GitHub security section and click "Report a vulnerability" button to fill details. Please don't forget to add cephctl version, Ceph version and any other related details to reproduce the issue.