EUVD-2025-208823CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Lifecycle Timeline
3Tags
Description
beefree.io SDK is vulnerable to Stored XSS in Social Media icon URL parameter in email builder functionality. Malicious attacker can inject arbitrary HTML and JS into template, which will be rendered/executed when visiting preview page. However due to beefree's Content Security Policy not all payloads will execute successfully. This issue has been fixed in version 3.47.0.
Analysis
The beefree.io SDK contains a Stored Cross-Site Scripting (XSS) vulnerability in the Social Media icon URL parameter within its email builder functionality, allowing attackers to inject arbitrary HTML and JavaScript code that persists in email templates and executes when preview pages are visited. The vulnerability affects beefree.io SDK versions prior to 3.47.0 across all platforms. While the impact is partially mitigated by beefree's Content Security Policy, attackers can still achieve limited script execution and social engineering attacks, making this a moderate-risk vulnerability that requires immediate patching.
Technical Context
The vulnerability is rooted in improper input validation and output encoding of the Social Media icon URL parameter within beefree.io SDK's email builder component. This is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting). The affected product is identified via CPE as cpe:2.3:a:bee_content_design:befree_sdk:*:*:*:*:*:*:*:*, which covers all versions before 3.47.0. The vulnerability is a Stored XSS variant, meaning malicious payloads are persisted in the application's data store (email templates) rather than reflected in a single request. While beefree's implemented Content Security Policy provides some defense-in-depth protection that blocks certain payload execution patterns, the CSP is incomplete and does not comprehensively prevent all JavaScript execution vectors, leaving residual risk.
Affected Products
The beefree.io SDK versions prior to 3.47.0 are affected, as confirmed by ENISA EUVD ID EUVD-2025-208823 and the CPE identifier cpe:2.3:a:bee_content_design:befree_sdk:*:*:*:*:*:*:*:*. The vulnerability impacts all installations of beefree SDK from version 0 through version 3.46.x. The vendor, Bee Content Design, has published information regarding this issue. Additional details are available from CERT-PL at https://cert.pl/en/posts/2026/03/CVE-2025-12518 and the official beefree.io website at https://beefree.io/.
Remediation
Organizations using beefree.io SDK must immediately upgrade to version 3.47.0 or later to obtain the fix for this Stored XSS vulnerability. The upgrade process should follow beefree's standard release procedures and testing protocols to ensure compatibility with existing email templates. Until patching is complete, implement compensating controls by restricting access to the email builder component to trusted users only, disabling template sharing functionality if possible, and implementing additional server-side output encoding on preview pages to provide defense-in-depth against XSS payloads. If you have used beefree SDK to generate email templates in production, audit existing templates for suspicious Social Media icon URLs or unusual script content. For deployment guidance and technical details, consult the vendor advisory at https://beefree.io/ and the security report from CERT-PL at https://cert.pl/en/posts/2026/03/CVE-2025-12518.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today