Skip to main content

Beee TinyNav EUVDEUVD-2025-28460

| CVE-2025-52781 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2025-06-20 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Re-analysis Queued
Apr 23, 2026 - 15:42 vuln.today
cvss_changed
EUVD ID Assigned
Mar 15, 2026 - 00:19 euvd
EUVD-2025-28460
Analysis Generated
Mar 15, 2026 - 00:19 vuln.today
CVE Published
Jun 20, 2025 - 15:15 nvd
HIGH 7.1

DescriptionCVE.org

Cross-Site Request Forgery (CSRF) vulnerability in Beee TinyNav allows Stored XSS. This issue affects TinyNav: from n/a through 1.4.

AnalysisAI

CVE-2025-52781 is a Cross-Site Request Forgery (CSRF) vulnerability in Beee TinyNav versions up to 1.4 that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads into the application, which are then executed in the browsers of other users who interact with the compromised content. With a CVSS score of 7.1 and network-based attack vector requiring only user interaction, this vulnerability poses a moderate-to-significant risk to affected deployments, particularly if actively exploited in the wild or publicly disclosed with proof-of-concept code.

Technical ContextAI

The vulnerability exists in Beee TinyNav (CPE: cpe:2.3:a:beee:tinynav:*:*:*:*:*:*:*:*), a navigation/menu library/component, affecting versions from an unspecified baseline through version 1.4. The root cause is classified under CWE-352 (Cross-Site Request Forgery), which indicates insufficient CSRF token validation or SameSite cookie protections. The combination with Stored XSS suggests that CSRF protection mechanisms either do not validate state-changing requests or fail to sanitize user-supplied input before storage and rendering. This allows an attacker to forge requests on behalf of authenticated users without their consent, and the stored XSS component indicates that injected payloads persist in the application's database or backend state, bypassing typical reflected XSS mitigations. The vulnerability likely affects web applications that integrate TinyNav without additional server-side input validation, output encoding, or CSRF token implementation.

RemediationAI

Immediate remediation steps: (1) Upgrade Beee TinyNav to version 1.5 or later (if available) as a priority—patch version not explicitly stated in provided data, but vendor should publish a fix; contact Beee/project maintainers for patched release; (2) Implement server-side CSRF token validation on all state-changing endpoints using standard library functions (e.g., synchronizer tokens, double-submit cookies with SameSite=Strict); (3) Enforce Content Security Policy (CSP) headers with script-src restrictions to mitigate stored XSS even if CSRF succeeds; (4) Apply output encoding/HTML entity escaping to all user-supplied input before rendering; (5) Enable SameSite cookie attribute (SameSite=Strict or SameSite=Lax) to restrict cross-site request credential submission; (6) Conduct input validation and sanitization at the server layer, not client-side only. Short-term workaround for unpatched systems: disable or isolate TinyNav functionality behind additional authentication layers or IP restrictions until a patch is applied.

Share

EUVD-2025-28460 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy