CVE-2026-39371HIGH 8.1EPSS p11.2%

CVE-2026-39371CVE-2026-39371

Description

RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
EPSS0.21% probability of exploitation · percentile 11.2% · 2026-06-18T12:00:27Z
Published2026-04-07
Last modified2026-05-05

Underlying weaknesses· 1

CWE-352

References

  1. https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq

1

TypeTargetConfidenceTier
WeaknessCross-Site Request Forgery (CSRF)cwe-3520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-33245
CVE
CVE-2026-33244
CVE
CVE-2026-21884
CVE
CVE-2025-61686
CVE
CVE-2026-34077
CVE
CVE-2025-43865
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.