Description
beefree.io SDK is vulnerable to Stored XSS in Social Media icon URL parameter in email builder functionality. Malicious attacker can inject arbitrary HTML and JS into template, which will be rendered/executed when visiting preview page. However due to beefree's Content Security Policy not all payloads will execute successfully.












































This issue has been fixed in version 3.47.0.
Published: 2026-03-18
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS (client-side code execution)
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a Stored Cross‑Site Scripting (XSS) flaw in the Social Media icon URL parameter within the Beefree SDK email builder. A malicious attacker can inject arbitrary HTML and JavaScript into a template, and the injected code is rendered and executed when a preview page is viewed. Although the SDK implements a Content Security Policy that limits execution of certain payloads, some scripts may still run, enabling an attacker to steal session cookies, deface content, or redirect users. The weakness is classified as CWE‑79 and carries a CVSS score of 5.3, indicating moderate severity.

Affected Systems

The affected vendor is Bee Content Design, product Befree SDK. All releases prior to version 3.47.0 are susceptible. The issue was fixed in SDK version 3.47.0, so any deployments using 3.46.x or earlier are impacted.

Risk and Exploitability

With a CVSS score of 5.3 and no EPSS data, the risk is considered moderate. The vulnerability requires access to the template preview functionality, which may be limited to users with appropriate permissions. It is not listed in the CISA Known Exploited Vulnerabilities catalog. Since the flaw allows execution of arbitrary client‑side code, its exploitability is high for users who can view or share preview links, while exploitation in fully isolated environments is lower.

Generated by OpenCVE AI on March 18, 2026 at 12:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to upgrade to Befree SDK version 3.47.0 or later.

Generated by OpenCVE AI on March 18, 2026 at 12:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 19 Mar 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Bee Content Design
Bee Content Design befree Sdk
Vendors & Products Bee Content Design
Bee Content Design befree Sdk

Wed, 18 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 11:15:00 +0000

Type Values Removed Values Added
Description beefree.io SDK is vulnerable to Stored XSS in Social Media icon URL parameter in email builder functionality. Malicious attacker can inject arbitrary HTML and JS into template, which will be rendered/executed when visiting preview page. However due to beefree's Content Security Policy not all payloads will execute successfully. This issue has been fixed in version 3.47.0.
Title Stored XSS in beefree.io
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Bee Content Design Befree Sdk
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-03-18T14:21:26.302Z

Reserved: 2025-10-30T15:47:42.770Z

Link: CVE-2025-12518

cve-icon Vulnrichment

Updated: 2026-03-18T14:21:12.265Z

cve-icon NVD

Status : Deferred

Published: 2026-03-18T11:16:14.530

Modified: 2026-04-27T19:22:08.623

Link: CVE-2025-12518

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:58:53Z

Weaknesses