This is not an issue with WebKit, but with WebKit Bugzilla. I see that we are currently running Bugzilla 4.2.11, which was released in October 2014 and superseded by Bugzilla 4.2.12 in January 2015. Six security issues have been disclosed since that time. They are documented at https://www.bugzilla.org/security. Updating to version 4.2.16 would resolve five of the following issues. Updating to version 4.4.12 (which is currently used by GNOME Bugzilla) would resolve all of them.

Class:       Command Injection
Versions:    All versions before 4.0.16, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6,
             4.5.1 to 4.5.6
Fixed In:    4.0.16, 4.2.12, 4.4.7, 5.0rc1
Description: Some code in Bugzilla does not properly utilize 3 arguments form
             for open() and it is possible for an account with editcomponents 
             permissions to inject commands into product names and other
             attributes.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1079065
CVE Number:  CVE-2014-8630 

Class:       Information Leak
Versions:    2.23.3 to 4.0.15, 4.1.1 to 4.2.11, 4.3.1 to 4.4.6, 4.5.1 to 4.5.6
Fixed In:    4.0.16, 4.2.12, 4.4.7, 5.0rc1
Description: Using the WebServices API, a user can possibly execute imported
             functions from other non-WebService modules. A whitelist has now 
             been added that lists explicit methods that can be executed via the
             API.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1090275

Class:       Unauthorized Account Creation
Versions:    Bugzilla 2.0 to 4.2.14, 4.3.1 to 4.4.9, 4.5.1 to 5.0
Fixed In:    4.2.15, 4.4.10, 5.0.1
Description: Login names (usually an email address) longer than 127
             characters are silently truncated in MySQL which could
             cause the domain name of the email address to be
             corrupted. An attacker could use this vulnerability to
             create an account with an email address different from the
             one originally requested. The login name could then be
             automatically added to groups based on the group's regular
             expression setting.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1202447
CVE Number:  CVE-2015-4499

Class:       Cross-Site Scripting
Versions:    Bugzilla 2.6 to 4.2.15, 4.3.1 to 4.4.10, 4.5.1 to 5.0.1
Fixed In:    4.2.16, 4.4.11, 5.0.2
Description: During the generation of a dependency graph, the code for
             the HTML image map is generated locally if a local dot
             installation is used. With escaped HTML characters in a bug
             summary, it is possible to inject unfiltered HTML code in
             the map file which the CreateImagemap function generates.
             This could be used for a cross-site scripting attack.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1221518
CVE Number:  CVE-2015-8508

Class:       Information Leak
Versions:    Bugzilla 2.17.1 to 4.2.15, 4.3.1 to 4.4.10, 4.5.1 to 5.0.1
Fixed In:    4.2.16, 4.4.11, 5.0.2
Description: If an external HTML page contains a <script> element with
             its src attribute pointing to a buglist in CSV format, some
             web browsers incorrectly try to parse the CSV file as valid
             JavaScript code. As the buglist is generated based on the
             privileges of the user logged into Bugzilla, the external
             page could collect confidential data contained in the CSV
             file.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1232785
CVE Number:  CVE-2015-8509

Class:       Cross-Site Scripting
Versions:    Bugzilla 2.16rc1 to 4.4.11, 4.5.1 to 5.0.2
Fixed In:    4.4.12, 5.0.3
Description: Due to an incorrect parsing of the image map generated by the
             dot script, a specially crafted bug summary could trigger XSS
             in dependency graphs.
References:  https://bugzilla.mozilla.org/show_bug.cgi?id=1253263
CVE Number:  CVE-2016-2803