Yes, that's exactly what we do. Some examples: https://github.com/eosphoros-ai/DB-GPT/pull/2650, https://github.com/dagster-io/dagster/pull/30002

We just need to follow responsible disclosure first by notifying the maintainers, working with them on a fix, and making it public once it is resolved.