npm package
rwsdk
pkg:npm/rwsdk
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42190 | Med | 5.3 | >= 1.0.0-beta.50, < 1.2.3 | 1.2.3 | May 8, 2026 | RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server | |
| CVE-2026-39371 | Hig | 8.1 | >= 1.0.0-beta.50, < 1.0.6 | 1.0.6 | Apr 7, 2026 | RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to tr |
- affected >= 1.0.0-beta.50, < 1.2.3fixed 1.2.3
RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server
- affected >= 1.0.0-beta.50, < 1.0.6fixed 1.0.6
RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to tr