126 matches found
CVE-2026-42190
RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the...
CVE-2026-42190
RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the...
CVE-2026-42190
RedwoodSDK (rwsdk) server actions from version 1.0.0-beta.50 up to, but not including, 1.2.3, did not validate the Origin header, enabling same-site CSRF with the victim’s session cookie. The issue is fixed in version 1.2.3. Affected component: server actions (serverAction, RSC protocol); impact:...
CVE-2026-42190 RedwoodSDK: Same-site CSRF in in server actions
RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the...
CVE-2026-42190 RedwoodSDK: Same-site CSRF in in server actions
RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the...
EUVD-2026-28823
RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the...
CVE-2026-42190
RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the...
Cross-site Request Forgery (CSRF)
Overview jupyterhub is a JupyterHub: A multi-user server for Jupyter notebooks Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the handling of HTTP form endpoints when requests with the Sec-Fetch-Mode: no-cors header are incorrectly treated as same-origin,...
next: Next.js Server-Side Request Forgery in Server Actions
A Server-Side Request Forgery SSRF vulnerability was identified in Next.js Server Actions. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself. The required...
RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions
Summary Server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. Impact An attacker who controls any origin the browser...
GHSA-M2M6-CFF5-3W7C RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions
Summary Server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. Impact An attacker who controls any origin the browser...
PT-2026-37173
Name of the Vulnerable Software and Affected Versions RedwoodSDK versions 1.0.0-beta.50 through 1.2.2 Description Server actions in rwsdk apply HTTP method enforcement but lack origin validation. This allows a request from a different origin, which the browser treats as same-site, to invoke a...
nextjs-sa-dos-poc-20260413
Next.js Server Actions DoS — PoC Vulnerability: Unhandled...
Exploit for Server-Side Request Forgery in Vercel Next.Js
CVE-2024-34351 Demo Minimal Next.js 14.0.0 application for de...
Exploit for Deserialization of Untrusted Data in Facebook React
R2SAE - React2Shell Auto-Exploit A Firefox extension...
CVE-2026-34072
CrnMaster cronmaster is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s...
CVE-2026-34072
CrnMaster cronmaster is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s...
CVE-2026-34072 cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution
CrnMaster cronmaster is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s...
CVE-2026-34072 cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution
CrnMaster cronmaster is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s...
CVE-2026-34072
CrnMaster cronmaster is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s...