There may be different approaches based on the severity of the security problem:
For minor things (e.g. too much information being logged) then look at raising tickets (presuming you have a ticketing system in place) and tag it as a security fix. Multiple tickets might be required to remedy the situation, e.g. one to clean the logs, and another to clean the code that is doing the logging.
More serious matters (such as a security vulnerability which could allow access to a production server, or anything that might feature on the OWASP top 10) then it needs an immediate fix, and this you should take to your security team or a manager. If you're concerned about the more senior colleague, you don't have to mention their name, just highlight the code responsible for the possible issue. Then it's up to your manager to decide what needs to happen, but from experience it is likely to be just further security training.
With all of these problems, see if it's something that can be raised earlier on in code reviews. You should never have to be worried about commenting on pull requests of a more senior developer, as everyone can have valid input. I lead a team myself, and am a senior developer, but I welcome input on pull requests because I know I don't know everything. Try to provide solid examples of why you feel the code might be insecure, either with a small test case of code or a link out to best practices documentation (internal or external).
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
There may be different approaches based on the severity of the security problem:
For minor things (e.g. too much information being logged) then look at raising tickets (presuming you have a ticketing system in place) and tag it as a security fix. Multiple tickets might be required to remedy the situation, e.g. one to clean the logs, and another to clean the code that is doing the logging.
More serious matters (such as a security vulnerability which could allow access to a production server, or anything that might feature on the OWASP top 10) then it needs an immediate fix, and this you should take to your security team or a manager. If you're concerned about the more senior colleague, you don't have to mention their name, just highlight the code responsible for the possible issue. Then it's up to your manager to decide what needs to happen, but from experience it is likely to be just further security training.
With all of these problems, see if it's something that can be raised earlier on in code reviews. You should never have to be worried about commenting on pull requests of a more senior developer, as everyone can have valid input. I lead a team myself, and am a senior developer, but I welcome input on pull requests because I know I don't know everything. Try to provide solid examples of why you feel the code might be insecure, either with a small test case of code or a link out to best practices documentation (internal or external).