Yes, this is reported 'Medium' severity security issue. We need some traction on the fix, can this also be back ported to 1.2.6 ?
An update will certainly help here.