1. Critical WebSocket Origin Check Disabled in Orbit Server Enables Cross-Site Hijacking
A critical security misconfiguration has been identified in the Orbit server codebase, leaving production deployments exposed to Cross-Site WebSocket Hijacking (CSWSH). The vulnerability stems from `InsecureSkipVerify: true` being set on the WebSocket `Accept` call in `cmd/server/main.go`, which disables origin validat...