5.3
CVE-2026-42190
- EPSS 0.11%
- Veröffentlicht 08.05.2026 19:35:17
- Zuletzt bearbeitet 14.05.2026 13:54:01
- Quelle security-advisories@github.com
- CVE-Watchlists
- Unerledigt
LoginRedwoodSDK: Same-site CSRF in in server actions
RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redwoodjs ≫ Redwoodsdk Version >= 1.0.1 < 1.2.3
Redwoodjs ≫ Redwoodsdk Version1.0.0 Updatebeta50
Redwoodjs ≫ Redwoodsdk Version1.0.0 Updatebeta51
Redwoodjs ≫ Redwoodsdk Version1.0.0 Updatebeta52
Redwoodjs ≫ Redwoodsdk Version1.0.0 Updatebeta53
Redwoodjs ≫ Redwoodsdk Version1.0.0 Updatebeta53_test20260205213024
Redwoodjs ≫ Redwoodsdk Version1.0.0 Updatebeta54
Redwoodjs ≫ Redwoodsdk Version1.0.0 Updatebeta55
Redwoodjs ≫ Redwoodsdk Version1.0.0 Updatebeta56
Redwoodjs ≫ Redwoodsdk Version1.0.0 Updatebeta57
Redwoodjs ≫ Redwoodsdk Version1.0.0 Updatebeta58
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.11% | 0.016 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security-advisories@github.com | 5.3 | 1.6 | 3.6 |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
|
CWE-352 Cross-Site Request Forgery (CSRF)
The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
https://github.com/redwoodjs/sdk/security/advisories/GHSA-m2m6-cff5-3w7c
https://github.com/redwoodjs/sdk/releases/tag/v1.2.3