Entirely personal recommendation, take it or leave it: I’ve seen and attacked enough of this codebase to remove any CUPS service, binary and library from any of my systems and never again use a UNIX system to print. I’m also removing every zeroconf / avahi / bonjour listener. You might consider doing the same.
Great advice. It would appear these developers don’t take security seriously.
Loads of complex code exposed to an assumed trusted network is the model of printers. They’re going to be full of security issues.
This stuff should be sandboxed and then never, ever exposed to the Internet.