Open a public issue on github. The issue will most likely be fixed within a day, unless all maintainers happen to just be taking a vacation at the same time, which is unlikely.

Even then, having the bug publicly known will allow competent people to come up with custom patches for distros, most likely quicker than black hats can craft a remote execution exploit.

If you really really do not want to make the issue public, come to the tinyproxy IRC channel and ask for a maintainer, which you can then contact via private messages.

Do not, however, like "TALOS Intelligence" pull a random email address out of git log, then send an email nobody reads or responds to, and wait for 6 months for publication. this only gives black hats plenty time to sell, use and circulate zero days and get the best possible ROI.