Skip to main content

Open Redirect CVE-2026-34442

| EUVDEUVD-2026-17673 MEDIUM
Improper Input Validation (CWE-20)
2026-03-31 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.8.211
EUVD ID Assigned
Mar 31, 2026 - 21:46 euvd
EUVD-2026-17673
Analysis Generated
Mar 31, 2026 - 21:46 vuln.today
CVE Published
Mar 31, 2026 - 21:28 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version (http://localhost:8080/system/status) allows an attacker to inject an arbitrary domain into generated absolute URLs. This leads to External Resource Loading and Open Redirect behavior. When the application constructs links and assets using the unvalidated Host header, user requests can be redirected to attacker-controlled domains and external resources may be loaded from malicious servers. This issue has been patched in version 1.8.211.

AnalysisAI

Host header manipulation in FreeScout prior to version 1.8.211 allows unauthenticated remote attackers to inject arbitrary domains into application-generated absolute URLs, enabling open redirects and external resource loading attacks. The vulnerability exploits unvalidated Host header values to construct malicious links and asset references, potentially redirecting users to attacker-controlled domains or loading external resources from compromised servers. CVSS 5.4 reflects low-to-moderate real-world risk given the requirement for user interaction (UI:R), though no active exploitation has been publicly confirmed.

Technical ContextAI

FreeScout is a Laravel-based PHP help desk application that dynamically constructs absolute URLs for links and assets using the HTTP Host header without proper validation. The root cause is improper input validation (CWE-20) of untrusted HTTP headers. Laravel applications commonly use the Host header to generate base URLs for email notifications, password reset links, and front-end asset references. When an attacker crafts a request with a manipulated Host header (e.g., 'Host: attacker.com'), the application incorporates this value into generated URLs, bypassing SAME_SITE protections and enabling open redirect vulnerabilities. This is particularly dangerous in help desk contexts where generated links are shared via email or displayed in system status pages, increasing user trust and click-through likelihood.

RemediationAI

Vendor-released patch: FreeScout 1.8.211. Upgrade immediately from the official GitHub releases page at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.211. For organizations unable to upgrade immediately, implement a reverse proxy or WAF rule to validate and restrict the Host header to expected domain values only, preventing arbitrary domain injection. Verify that email notifications and system status pages (such as /system/status) are not exposing user-controllable URLs after patching. Audit logs for suspicious Host header values in prior access patterns.

CVE-2017-1000117 HIGH POC
8.8 Oct 05

A malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca

CVE-2024-52875 HIGH POC
8.8 Jan 31

GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of

CVE-2016-5385 HIGH POC
8.1 Jul 19

PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect

CVE-2013-2248 MEDIUM POC
5.8 Jul 20

Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to

CVE-2012-6499 MEDIUM POC
5.8 Jan 12

Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows

CVE-2015-2863 MEDIUM POC
4.3 Jul 20

Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b

CVE-2017-3528 MEDIUM POC
5.4 Apr 24

Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li

CVE-2012-0518 MEDIUM
4.7 Oct 16

Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3

CVE-2024-21641 MEDIUM POC
6.5 Jan 05

Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp

CVE-2015-5354 MEDIUM POC
5.8 Jul 01

Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites

CVE-2015-5461 MEDIUM POC
6.4 Jul 08

Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for

CVE-2024-22891 CRITICAL POC
9.8 Mar 01

Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit

Share

CVE-2026-34442 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy