Seaside tries to be more secure by default than other web frameworks.
All output generated by Seaside is HTML entity encoded by default. Unless you send
#html: to a render canvas you should be safe against XSS.
Read more about XSS at OWASP.
Seaside automatically generats a unique id that is tied to the session for each action. This id acts like a token.
Read more about CSRF at OWASP.
Seaside does automatic input validation for dropdowns, multiselect lists, option groups and radio buttons.
Seaside does not run any interpreter that executes any input from the web. However if you run a command interpreter in addition to Seaside (SQL, XPath, ...) then Seaside can not protect you angainst command execution in those.