Skip to main content

FreeScout CVE-2026-40567

| EUVDEUVD-2026-24168 MEDIUM
Improper Encoding or Escaping of Output (CWE-116)
2026-04-21 GitHub_M
5.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 16:59 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 16:30 euvd
EUVD-2026-24168
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today
CVE Published
Apr 21, 2026 - 16:06 nvd
MEDIUM 5.8

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and rendered unescaped into outgoing reply emails via the {%customer.fullName%} signature variable. This allows embedding phishing links, tracking pixels, and spoofed content inside legitimate support emails sent from the organization's address. Version 1.8.213 fixes the issue.

AnalysisAI

HTML injection in FreeScout prior to version 1.8.213 allows unauthenticated attackers to inject arbitrary HTML into outgoing support emails by crafting a malicious From display name. The unsanitized name is stored in the database and rendered unescaped via the {%customer.fullName%} template variable in reply emails, enabling attackers to embed phishing links, tracking pixels, and spoofed content in emails sent from the organization's legitimate address. No public exploit code identified at time of analysis.

Technical ContextAI

FreeScout is a self-hosted help desk application that processes inbound emails and generates templated outgoing replies. The vulnerability exists in the email template rendering pipeline: user-supplied email metadata (the From field's display name) is stored directly in the database without HTML entity encoding or sanitization. When FreeScout generates outgoing reply emails using Jinja2 or similar template syntax, it renders the customer's full name via the {%customer.fullName%} variable into the email body without output escaping. This is a Improper Output Neutralization for Web (CWE-116 / Cross-site Scripting equivalent in email context) issue. The attack vector is network-based: any attacker can send an email to the FreeScout instance with a crafted From display name containing HTML markup (e.g., "<img src=x onerror='alert(1)'> Attacker Name"), and when a support agent replies, that HTML is injected into the outgoing email sent to the customer, executed by the recipient's email client.

RemediationAI

Upgrade FreeScout to version 1.8.213 or later immediately. The patch implements HTML entity encoding or output escaping for the {%customer.fullName%} template variable and sanitizes the From display name upon storage. If immediate upgrade is not possible, apply input validation and sanitization at the email ingestion point to strip or escape HTML-like characters from sender display names before database storage, though this may alter legitimate sender names containing special characters and is not a complete mitigation. Alternatively, configure email client or server-side filters to strip HTML from inbound email metadata fields, though this is a host-based workaround requiring client-side enforcement. The primary and only recommended fix is the vendor-released patch in version 1.8.213. See https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v62h-5528 for advisory details.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

CVE-2026-40567 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy