VYPR
← All advisories
Medium severityNVD Advisory· Published Mar 18, 2026· Updated Apr 27, 2026

CVE-2025-12518

CVE-2025-12518

Description

beefree.io SDK is vulnerable to Stored XSS in Social Media icon URL parameter in email builder functionality. Malicious attacker can inject arbitrary HTML and JS into template, which will be rendered/executed when visiting preview page. However due to beefree's Content Security Policy not all payloads will execute successfully.

This issue has been fixed in version 3.47.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Stored XSS in Beefree SDK email builder via social media icon URL parameter allows arbitrary HTML/JS injection; partially mitigated by CSP; fixed in version 3.47.0.

Vulnerability

Overview CVE-2025-12518 is a stored cross-site scripting (XSS) vulnerability in the Beefree SDK email builder. The flaw exists in the social media icon URL parameter, where user-supplied input is not properly sanitized before being stored. This allows an attacker to inject arbitrary HTML and JavaScript into an email template [2].

Exploitation

An attacker with the ability to create or modify an email template using the SDK can supply a malicious URL for a social media icon field. When a user previews the affected template, the injected script executes in the browser context of the preview page. While Beefree's Content Security Policy (CSP) may block some payloads, not all payloads are prevented, leaving the possibility of partial or full exploitation [2].

Impact

Successful exploitation could lead to account compromise, data theft, or further attacks against users who view the template preview. The vulnerability has been rated medium severity and was responsibly disclosed through CERT Polska [2].

Mitigation

The issue has been fixed in version 3.47.0 of the Beefree SDK. Users should update to this version or later to mitigate the risk. CERT Polska credits Michał Błaszczak for the report [2].

References
  1. Vulnerability in Befree SDK software

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.