Please report security issues privately, not through public issues or pull requests.
Open a private advisory via GitHub Security Advisories.
Include the affected plugin, a description of the issue, and steps to reproduce or a proof of concept where possible. You'll get an acknowledgement, and a fix or mitigation once the report is confirmed.
These plugins run inside your own Open WebUI instance and inherit its trust model and permissions. Treat them like any third-party code: review before installing, keep Open WebUI up to date, and grant only the access a plugin needs. Vulnerabilities in Open WebUI itself belong in the Open WebUI security policy, not here.