PT-2026-26052 · Unknown · Beefree.Io Sdk
Michał Błaszczak
·
Published
2026-03-18
·
Updated
2026-03-18
·
CVE-2025-12518
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
beefree.io SDK versions prior to 3.47.0
Description
The beefree.io SDK contains a Stored Cross-Site Scripting (XSS) issue within the Social Media icon URL parameter of the email builder functionality. A malicious actor can inject arbitrary HTML and JavaScript into a template. This injected code will be rendered and executed when a user views the preview page. The effectiveness of payloads may be limited by the beefree Content Security Policy.
Recommendations
Update to version 3.47.0 or later.
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Beefree.Io Sdk