Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
beefree.io SDK is vulnerable to Stored XSS in Social Media icon URL parameter in email builder functionality. Malicious attacker can inject arbitrary HTML and JS into template, which will be rendered/executed when visiting preview page. However due to beefree's Content Security Policy not all payloads will execute successfully.
This issue has been fixed in version 3.47.0.
AnalysisAI
The beefree.io SDK contains a Stored Cross-Site Scripting (XSS) vulnerability in the Social Media icon URL parameter within its email builder functionality, allowing attackers to inject arbitrary HTML and JavaScript code that persists in email templates and executes when preview pages are visited. The vulnerability affects beefree.io SDK versions prior to 3.47.0 across all platforms. While the impact is partially mitigated by beefree's Content Security Policy, attackers can still achieve limited script execution and social engineering attacks, making this a moderate-risk vulnerability that requires immediate patching.
Technical ContextAI
The vulnerability is rooted in improper input validation and output encoding of the Social Media icon URL parameter within beefree.io SDK's email builder component. This is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting). The affected product is identified via CPE as cpe:2.3:a:bee_content_design:befree_sdk:*:*:*:*:*:*:*:*, which covers all versions before 3.47.0. The vulnerability is a Stored XSS variant, meaning malicious payloads are persisted in the application's data store (email templates) rather than reflected in a single request. While beefree's implemented Content Security Policy provides some defense-in-depth protection that blocks certain payload execution patterns, the CSP is incomplete and does not comprehensively prevent all JavaScript execution vectors, leaving residual risk.
RemediationAI
Organizations using beefree.io SDK must immediately upgrade to version 3.47.0 or later to obtain the fix for this Stored XSS vulnerability. The upgrade process should follow beefree's standard release procedures and testing protocols to ensure compatibility with existing email templates. Until patching is complete, implement compensating controls by restricting access to the email builder component to trusted users only, disabling template sharing functionality if possible, and implementing additional server-side output encoding on preview pages to provide defense-in-depth against XSS payloads. If you have used beefree SDK to generate email templates in production, audit existing templates for suspicious Social Media icon URLs or unusual script content. For deployment guidance and technical details, consult the vendor advisory at https://beefree.io/ and the security report from CERT-PL at https://cert.pl/en/posts/2026/03/CVE-2025-12518.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-208823