CVE-2026-39371

HIGH

RedwoodSDK <1.0.6 Server Function Dispatch - Cross-Site Request Forgery

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-39371. PoCs published by zebbernCVE.

AI-analyzed exploit summary The repository contains only a README with references to CVE-2026-39371 and a GitHub advisory but no exploit code or technical details. It appears to be a placeholder or stub.

Description

RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.

Exploits (1)

nomisec STUB
by zebbernCVE · poc
https://github.com/zebbernCVE/CVE-2026-39371

The repository contains only a README with references to CVE-2026-39371 and a GitHub advisory but no exploit code or technical details. It appears to be a placeholder or stub.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: unknown
No auth needed
devstral-2 · analyzed Apr 08, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.1
EPSS 0.0001
EPSS Percentile 0.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-352
Status published
Products (6)
npm/rwsdk 1.0.0-beta.50 - 1.0.6npm
redwoodjs/redwoodsdk 1.0.0 beta50 (10 CPE variants)
redwoodjs/redwoodsdk 1.0.1 - 1.0.6
redwoodjs/sdk >= 1.0.0-beta.50, < 1.0.6
rwsdk/redwoodsdk 1.0.0 beta50 (10 CPE variants)
rwsdk/redwoodsdk 1.0.1 - 1.0.6
Published Apr 07, 2026
Tracked Since Apr 08, 2026