CVE-2026-39371Redwoodjs · Redwoodsdk
Vulnerability data via NVD (ingested)
RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-39371product:"Redwoodjs Redwoodsdk"http.html:"Redwoodsdk"More intel sources (5)
vuln:CVE-2026-39371vulnerabilities.cve_id: CVE-2026-39371CVE-2026-39371CVE-2026-39371"CVE-2026-39371" exploit -site:nvd.nist.gov