Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Cross-Site Request Forgery (CSRF) vulnerability in Beee TinyNav allows Stored XSS. This issue affects TinyNav: from n/a through 1.4.
AnalysisAI
CVE-2025-52781 is a Cross-Site Request Forgery (CSRF) vulnerability in Beee TinyNav versions up to 1.4 that enables Stored XSS attacks. An unauthenticated attacker can craft malicious requests to inject persistent JavaScript payloads into the application, which are then executed in the browsers of other users who interact with the compromised content. With a CVSS score of 7.1 and network-based attack vector requiring only user interaction, this vulnerability poses a moderate-to-significant risk to affected deployments, particularly if actively exploited in the wild or publicly disclosed with proof-of-concept code.
Technical ContextAI
The vulnerability exists in Beee TinyNav (CPE: cpe:2.3:a:beee:tinynav:*:*:*:*:*:*:*:*), a navigation/menu library/component, affecting versions from an unspecified baseline through version 1.4. The root cause is classified under CWE-352 (Cross-Site Request Forgery), which indicates insufficient CSRF token validation or SameSite cookie protections. The combination with Stored XSS suggests that CSRF protection mechanisms either do not validate state-changing requests or fail to sanitize user-supplied input before storage and rendering. This allows an attacker to forge requests on behalf of authenticated users without their consent, and the stored XSS component indicates that injected payloads persist in the application's database or backend state, bypassing typical reflected XSS mitigations. The vulnerability likely affects web applications that integrate TinyNav without additional server-side input validation, output encoding, or CSRF token implementation.
RemediationAI
Immediate remediation steps: (1) Upgrade Beee TinyNav to version 1.5 or later (if available) as a priority—patch version not explicitly stated in provided data, but vendor should publish a fix; contact Beee/project maintainers for patched release; (2) Implement server-side CSRF token validation on all state-changing endpoints using standard library functions (e.g., synchronizer tokens, double-submit cookies with SameSite=Strict); (3) Enforce Content Security Policy (CSP) headers with script-src restrictions to mitigate stored XSS even if CSRF succeeds; (4) Apply output encoding/HTML entity escaping to all user-supplied input before rendering; (5) Enable SameSite cookie attribute (SameSite=Strict or SameSite=Lax) to restrict cross-site request credential submission; (6) Conduct input validation and sanitization at the server layer, not client-side only. Short-term workaround for unpatched systems: disable or isolate TinyNav functionality behind additional authentication layers or IP restrictions until a patch is applied.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-28460