The script is executed on demand and only modifies the files passed to it. This means that security is completely under the control of users who also have the option to contain any vulnerabilities, by not executing the script or check the input files for bugs.

The latest version will only be supported by security updates since this script is usually run by demand and with user-controlled data, so the last version is the only one supported.

Open an issue on GitHub https://github.com/melexis/unity2junit/issues and mark it as a security vulnerability. If you can add a reproducible use case it will very much help with the debugging and quick fixing, but you are more than welcome to open a Pull Request with a fix (do not forget the detailed pull request description).