Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and rendered unescaped into outgoing reply emails via the {%customer.fullName%} signature variable. This allows embedding phishing links, tracking pixels, and spoofed content inside legitimate support emails sent from the organization's address. Version 1.8.213 fixes the issue.
AnalysisAI
HTML injection in FreeScout prior to version 1.8.213 allows unauthenticated attackers to inject arbitrary HTML into outgoing support emails by crafting a malicious From display name. The unsanitized name is stored in the database and rendered unescaped via the {%customer.fullName%} template variable in reply emails, enabling attackers to embed phishing links, tracking pixels, and spoofed content in emails sent from the organization's legitimate address. No public exploit code identified at time of analysis.
Technical ContextAI
FreeScout is a self-hosted help desk application that processes inbound emails and generates templated outgoing replies. The vulnerability exists in the email template rendering pipeline: user-supplied email metadata (the From field's display name) is stored directly in the database without HTML entity encoding or sanitization. When FreeScout generates outgoing reply emails using Jinja2 or similar template syntax, it renders the customer's full name via the {%customer.fullName%} variable into the email body without output escaping. This is a Improper Output Neutralization for Web (CWE-116 / Cross-site Scripting equivalent in email context) issue. The attack vector is network-based: any attacker can send an email to the FreeScout instance with a crafted From display name containing HTML markup (e.g., "<img src=x onerror='alert(1)'> Attacker Name"), and when a support agent replies, that HTML is injected into the outgoing email sent to the customer, executed by the recipient's email client.
RemediationAI
Upgrade FreeScout to version 1.8.213 or later immediately. The patch implements HTML entity encoding or output escaping for the {%customer.fullName%} template variable and sanitizes the From display name upon storage. If immediate upgrade is not possible, apply input validation and sanitization at the email ingestion point to strip or escape HTML-like characters from sender display names before database storage, though this may alter legitimate sender names containing special characters and is not a complete mitigation. Alternatively, configure email client or server-side filters to strip HTML from inbound email metadata fields, though this is a host-based workaround requiring client-side enforcement. The primary and only recommended fix is the vendor-released patch in version 1.8.213. See https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v62h-5528 for advisory details.
File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that
Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers
FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot
FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely
FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio
Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,
Same weakness CWE-116 – Improper Encoding or Escaping of Output
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24168