CVE-2026-6402 webpack-dev-server vulnerable to cross-origin source code exposure on non-HTTPS origins

webpack-dev-server versions up to and including 5.2.3 are vulnerable to cross-origin source code exposure when serving over a non-potentially trustworthy origin such as plain HTTP. The previous fix relied on the Sec-Fetch-Mode and Sec-Fetch-Site request headers, which browsers omit for...

Cross-Site Request Forgery (CSRF)

@rails/ujs is vulnerable to cross-site request forgery CSRF. The same-origin header in XMLHttpRequest requests are not validated before including the CSRF token, potentially allowing remote attackers to submit requests on behalf of the user...