Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download tokens are generated using a weak and predictable formula: md5(APP_KEY + attachment_id + size). Since attachment_id is sequential and size can be brute-forced in a small range, an unauthenticated attacker can forge valid tokens and download any private attachment without credentials. Version 1.8.213 fixes the issue.
AnalysisAI
Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attachments by forging MD5-based download tokens. The predictable formula (md5(APP_KEY + sequential_attachment_id + guessable_size)) enables enumeration of all stored attachments without credentials. CVSS 8.8 reflects high confidentiality and integrity impact via network vector with no authentication required. EPSS data not provided. Proof-of-concept exploitation exists (E:P in CVSS vector). Vendor-released patch version 1.8.213 available via GitHub.
Technical ContextAI
FreeScout is a self-hosted open-source help desk and shared mailbox system built on PHP/Laravel. The vulnerability exists in the attachment access control mechanism which generates download authorization tokens using MD5(APP_KEY + attachment_id + size). This falls under CWE-330 (Use of Insufficiently Random Values) because the token generation relies on predictable inputs: attachment_id values are sequential integers assigned to database records, file sizes occupy a narrow numeric range (typically bytes to megabytes), and APP_KEY is a Laravel application secret that remains constant per installation. MD5 is a fast cryptographic hash, enabling rapid brute-force attempts. An attacker can iterate through sequential attachment_id values combined with common file sizes to generate candidate tokens and systematically harvest all attachments stored in the system. The affected product per CPE is cpe:2.3:a:freescout-help-desk:freescout for all versions prior to 1.8.213.
RemediationAI
Immediate upgrade to FreeScout version 1.8.213 or later is the primary remediation, available from https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213. The fix implemented in commit dbdf8f2260b43a21818255c70f0b61b9de9cd555 replaces the weak token formula with cryptographically secure random token generation. For organizations unable to immediately upgrade, implement compensating controls: restrict network access to FreeScout web interface to authenticated VPN users only (eliminates unauthenticated remote attack vector but prevents external customer access), deploy web application firewall rules to rate-limit /download or attachment endpoint requests (slows enumeration attacks but determined attackers can still succeed over time), or temporarily disable attachment features if operationally feasible (breaks core help desk functionality). All compensating controls have significant operational trade-offs and should be considered temporary measures only. Post-upgrade, audit server logs for suspicious sequential attachment download patterns from single IPs to identify potential prior exploitation. Rotate APP_KEY after patching if logs indicate compromise, as existing tokens generated with old formula may remain valid in user sessions. Review all attachments accessed during the vulnerability window for unauthorized disclosure of sensitive data.
File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that
Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers
FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot
FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely
FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio
Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,
Same weakness CWE-330 – Use of Insufficiently Random Values
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24049