cvedb.io
CVE-2026-39371
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2026-04-07T20:16:31.980 · Last modified 2026-06-17T10:42:00.650

Summary

RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.

Affected products

redwoodjs — redwoodsdk

Does this affect you?

Add your gear to cvedb and we'll alert you only when redwoodjs ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.