The author of this blog post essentially never reported the exploit to the Forgejo maintainers. They merely submitted a security-related PR.

The maintainers aren't mind readers. They have never been directly informed that a proven exploit exists, and the author of the article actively ignored the project's reporting process despite being aware of it.

And it's not a particularly complicated report process. You literally just email them.