CVE-2026-39371
HIGH EPSS 11.3%
Published Apr 7, 20262mo ago · Modified Jun 17, 20262w ago
8.1 CVSS 3.1
Published Apr 7, 2026 2mo ago
Last Modified Jun 17, 2026 2w ago
Description
RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity High
Availability High
Threat Intelligence
EPSS Exploit Probability
11.3% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-352 Cross-Site Request Forgery (CSRF) Authentication
Affected Products 11
| Vendor | Product | Version | Range |
|---|---|---|---|
| redwoodjs | redwoodsdk | * | ≥1.0.1 – <1.0.6 |
| redwoodjs | redwoodsdk | 1.0.0 | any |
| redwoodjs | redwoodsdk | 1.0.0 | any |
| redwoodjs | redwoodsdk | 1.0.0 | any |
| redwoodjs | redwoodsdk | 1.0.0 | any |
| redwoodjs | redwoodsdk | 1.0.0 | any |
| redwoodjs | redwoodsdk | 1.0.0 | any |
| redwoodjs | redwoodsdk | 1.0.0 | any |
| redwoodjs | redwoodsdk | 1.0.0 | any |
| redwoodjs | redwoodsdk | 1.0.0 | any |
| redwoodjs | redwoodsdk | 1.0.0 | any |
References 1
- github.com https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.