🔐 CVE Alert

CVE-2025-12518

UNKNOWN 0.0

Stored XSS in beefree.io

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

beefree.io SDK is vulnerable to Stored XSS in Social Media icon URL parameter in email builder functionality. Malicious attacker can inject arbitrary HTML and JS into template, which will be rendered/executed when visiting preview page. However due to beefree's Content Security Policy not all payloads will execute successfully. This issue has been fixed in version 3.47.0.

CWE CWE-79
Vendor bee content design
Product befree sdk
Published Mar 18, 2026
Last Updated Mar 18, 2026
Stay Ahead of the Next One

Get instant alerts for bee content design befree sdk

Be the first to know when new unknown vulnerabilities affecting bee content design befree sdk are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Bee Content Design / Befree SDK
0 < 3.47.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
cert.pl: https://cert.pl/en/posts/2026/03/CVE-2025-12518 beefree.io: https://beefree.io/

Credits

Michał Błaszczak