VYPR
Medium severity5.3GHSA Advisory· Published May 8, 2026· Updated May 14, 2026

CVE-2026-42190

CVE-2026-42190

Description

RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rwsdknpm
>= 1.0.0-beta.50, < 1.2.31.2.3

Affected products

13
  • Range: >= 1.0.0-beta.50, <= 1.2.2
  • cpe:2.3:a:redwoodjs:redwoodsdk:*:*:*:*:*:*:*:*+ 10 more
    • cpe:2.3:a:redwoodjs:redwoodsdk:*:*:*:*:*:*:*:*range: >=1.0.1,<1.2.3
    • cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta50:*:*:*:*:*:*
    • cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta51:*:*:*:*:*:*
    • cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta52:*:*:*:*:*:*
    • cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53:*:*:*:*:*:*
    • cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta53_test20260205213024:*:*:*:*:*:*
    • cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta54:*:*:*:*:*:*
    • cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta55:*:*:*:*:*:*
    • cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta56:*:*:*:*:*:*
    • cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta57:*:*:*:*:*:*
    • cpe:2.3:a:redwoodjs:redwoodsdk:1.0.0:beta58:*:*:*:*:*:*
  • ghsa-coords
    Range: >= 1.0.0-beta.50, < 1.2.3

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.