CVE-2025-54598

MEDIUM

Bevy < 2025-06-24 - CSRF

Title source: rule

Description

The Bevy Event service through 2025-07-22, as used for eBay Seller Events and other activities, allows CSRF to delete all notifications via the /notifications/delete/ URI.

References (3)

[Product] https://bevy.com/b/events-and-groups

[Exploit, Third Party Advisory] https://gist.github.com/deep1chil/057b63e62d4db6158a3ee28995fc246f

[Not Applicable] https://github.com/actuator/cve/blob/main/Kuwfi/CVE-2025-43985.txt

View Writeup ZIP pw:eip

Scores

CVSS v3 6.5

EPSS 0.0003

EPSS Percentile 6.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Classification

CWE

CWE-352

Status published

Affected Products (1)

bevy/bevy < 2025-06-24

Timeline

Published Aug 27, 2025

Tracked Since Feb 18, 2026