CVE-2026-39371

{"id": "CVE-2026-39371", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 5.2, "exploitabilityScore": 2.8}]}, "published": "2026-04-07T20:16:31.980", "references": [{"url": "https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from \"use server\" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in \"use server\" files. This vulnerability is fixed in 1.0.6."}], "lastModified": "2026-04-24T18:14:13.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rwsdk:redwoodsdk:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7B0DDEBA-52C7-4DB5-B9C4-F2636D7FE425", "versionEndExcluding": "1.0.6", "versionStartIncluding": "1.0.1"}, {"criteria": "cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta50:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "8CA41DCF-0A52-41C1-B8A7-43A4986E82C8"}, {"criteria": "cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta51:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "1D6A8507-049F-4178-9F35-75DCF2FABA1D"}, {"criteria": "cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta52:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "732B2AC5-641D-4A10-943E-81D3E45B3B58"}, {"criteria": "cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta53:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "87581662-D0DE-4C41-A69B-FE9904E64309"}, {"criteria": "cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta53_test20260205213024:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9DB6D717-F4F6-44F6-A0A0-E193060C9FC2"}, {"criteria": "cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta54:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "5A8BFEC9-E3E6-42ED-BAB4-FAB207B12967"}, {"criteria": "cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta55:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "7D968542-39B4-44AB-A187-12E59221F502"}, {"criteria": "cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta56:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "4DDE1FEF-94FB-47DD-997C-974F405E3985"}, {"criteria": "cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta57:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "9806C512-748D-4384-BC50-C28C3F3FF5D1"}, {"criteria": "cpe:2.3:a:rwsdk:redwoodsdk:1.0.0:beta58:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "BC5AB7C3-87F8-4E05-9310-637B6A3CD70F"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}