GitHub commit 6bea30996979f085701542d8905966240545cd8e (on April 20th, 2020) for Bootgen introduces a security vulnerability by exposing part of the AES Key in the IV when generating Key/IV pairs.
For more information on how to sign up to receive notifications for new Design Advisories, see (Xilinx Answer 18683).
The issue has been address with GitHub commit bb38995468d8c830cbbfc5062e903961444c0a3c (on May 14th, 2020).
The official 2020.1 release TAG of Bootgen is NOT impacted.
Note: Xilinx continues to recommend the use of the official TAG (for example 2019.2 or 2020.1) from GitHub when deploying a product.