FreeScout CVE-2026-40566

FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's MailboxesController. Three AJAX actions fetch_test (line 731), send_test (line 682), and imap_folders (line 773) in app/Http/Controllers/MailboxesController.php pass admin-configured in_server/in_port and out_server/out_port values directly to fsockopen() via Helper::checkPort() and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own sanitizeRemoteUrl() or checkUrlIpAndHost() functions. The validation block in connectionIncomingSave() is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via fsockopen()) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's log field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at 169[.]254[.]169[.]254 can be probed and partial response data may be leaked through protocol error messages. This is distinct from the sanitizeRemoteUrl() redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability.