Description
The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows CSRF to delete all notifications via the /notifications/delete/ URI.
References (3)
Core 3
Core References
Exploit, Third Party Advisory
https://gist.github.com/deep1chil/057b63e62d4db6158a3ee28995fc246f
Scores
CVSS v3
6.5
EPSS
0.0003
EPSS Percentile
8.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-352
Status
published
Products (1)
bevy/bevy
< 2025-06-24
Published
Aug 27, 2025
Tracked Since
Feb 18, 2026