CVE-2026-39384

| EUVD-2026-19740 HIGH
2026-04-07 GitHub_M
7.6
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Apr 07, 2026 - 16:30 vuln.today
EUVD ID Assigned
Apr 07, 2026 - 16:30 euvd
EUVD-2026-19740
CVE Published
Apr 07, 2026 - 16:05 nvd
HIGH 7.6

Tags

Authentication Bypass

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212.

Analysis

Unauthorized cross-customer data access in FreeScout help desk software versions prior to 1.8.212 allows authenticated users with low privileges to bypass customer visibility restrictions during merge operations. The limit_user_customer_visibility parameter-intended to restrict agents' access to specific customers-is ignored when merging customer records, enabling agents to view and manipulate data outside their authorized scope. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all FreeScout deployments and confirm current versions. Within 7 days: Upgrade FreeScout to version 1.8.212 or later if available from vendor, or implement access control review of merge operation permissions. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

38
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Share

CVE-2026-39384 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy