Skip to main content

Freescout CVE-2026-32754

CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-03-19 GitHub_M
9.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 19, 2026 - 22:00 vuln.today
CVE Published
Mar 19, 2026 - 21:35 nvd
CRITICAL 9.3

DescriptionGitHub Advisory

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered unescaped in outgoing email notifications using Blade's raw output syntax {!! $thread->body !!}. An unauthenticated attacker can exploit this vulnerability by simply sending an email, and when opened by any subscribed agent or admin as part of their normal workflow, enabling universal HTML injection (phishing, tracking) and, in vulnerable email clients, JavaScript execution (session hijacking, credential theft, account takeover) affecting all recipients simultaneously. This issue has been fixed in version 1.8.209.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, where malicious email content is stored unsanitized and executed when email notifications are sent to agents. An unauthenticated attacker can exploit this by simply sending a specially crafted email that executes malicious scripts when viewed by support staff in their email clients, potentially leading to session hijacking, credential theft, and account takeover. The vulnerability has a critical CVSS score of 9.3 due to its ease of exploitation and broad impact across all notification recipients.

Technical ContextAI

FreeScout is a PHP Laravel-based help desk application (CPE: cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:*) that processes incoming support emails and generates notification emails to agents. The vulnerability stems from improper neutralization of input during web page generation (CWE-79), specifically in the email notification template system where email bodies are rendered using Blade's raw output syntax {!! $thread->body !!} without proper sanitization. This allows HTML and potentially JavaScript code from incoming emails to be stored in the database and later executed in the context of email clients when notifications are sent, creating a stored XSS condition that affects all recipients of the notification emails.

RemediationAI

Upgrade FreeScout to version 1.8.209 or later immediately, which includes the security fix documented in commit 3329379db38a86cf7069b0709061b95a7d38985b. The patched version is available at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209. Until patching is possible, consider implementing email content filtering at the mail server level to strip HTML content from incoming emails, though this may impact legitimate formatting. Additionally, ensure agents use email clients with robust XSS protections and disable automatic loading of external content in emails.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

CVE-2026-40496 HIGH
8.8 Apr 21

Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attach

Share

CVE-2026-32754 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy