As described in the script documentation, the primary aim of l3sys-query is
to support system queries in the context of restricted shell escape from a TeX
run. Specifically, the script is intended to respect restricted shell escape.
Security vulnerabilities can be reported privately via GitHub at https://github.com/latex3/l3sys-query/security. Using this mechanism means that the potential issue does not show in the public issues list, and will give the team chance to review the report before it is made public.
Alternative, the LaTeX Team can be contacted by email: latex-team@latex-project.org.