Hi Chris,
as we all know, almost all of the code in the world has potential security issues.
When someone finds a flaw, the best idea is to notify privately the author(s) of the code itself, so he(they) can take appropriate countermeasures as soon as possible.
NSSM is actively maintained as you can see here https://git.nssm.cc/?p=nssm.git
If you click on any of the commit you can see author's email address. He says "To report a bug, use my email address from any of the commits..." (https://nssm.cc/bugs).
Please do this giving the more details possible, so he can enhance the security of the code.
Thank you very much
Alessandro