Is this forum the right place to discuss and diagnose possible security vulnerabilities in webwork?
Hopefully the red flags are just mistakes by automated security scans, but who knows.
Please do consider if you have
found a security vulnerability, that posting publicly about it here
might direct bad actors to abuse it.
Until there is a better solution - email one of the core team members. I'll send you some addresses to choose from.