Skip to main content

FreeScout CVE-2026-40568

| EUVDEUVD-2026-24169 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-21 GitHub_M
8.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

7
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Patch available
Apr 21, 2026 - 18:01 EUVD
Re-analysis Queued
Apr 21, 2026 - 17:22 vuln.today
cvss_changed
Analysis Generated
Apr 21, 2026 - 17:00 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 16:30 euvd
EUVD-2026-24169
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today
CVE Published
Apr 21, 2026 - 16:08 nvd
HIGH 8.5

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function Helper::stripDangerousTags() (app/Misc/Helper.php:568) uses an incomplete blocklist of only four HTML tags (script, form, iframe, object) and does not remove event handler attributes. When a mailbox signature is saved via MailboxesController::updateSave() (app/Http/Controllers/MailboxesController.php:267), HTML elements such as <img>, <svg>, and <details> with event handler attributes like onerror and onload pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade {!! !!} tag in editor_bottom_toolbar.blade.php:6 and re-inserted into the visible DOM by jQuery .html() at main.js:1789-1790, triggering the injected event handlers. Any authenticated user with the ACCESS_PERM_SIGNATURE (sig) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue.

AnalysisAI

Stored cross-site scripting in FreeScout versions prior to 1.8.213 allows authenticated users with mailbox signature permissions to inject arbitrary JavaScript that executes automatically whenever any agent or administrator opens a conversation in the affected mailbox. The vulnerability stems from inadequate HTML sanitization (blocklisting only four tags: script, form, iframe, object) that permits event handlers on elements like <img>, <svg>, and <details>. Exploitation requires only low-privilege authenticated access (ACCESS_PERM_SIGNATURE permission) and triggers without user interaction (CVSS UI:N), enabling session hijacking under certain CSP bypass conditions, phishing overlays, email exfiltration via mass assignment, and self-propagating worm behavior across all mailboxes. EPSS data not provided; no public exploit code or CISA KEV listing identified at time of analysis. Vendor-released patch available in version 1.8.213.

Technical ContextAI

FreeScout is a PHP-based self-hosted help desk and shared mailbox system. The vulnerability exists in the mailbox signature feature's HTML sanitization routine Helper::stripDangerousTags() (app/Misc/Helper.php:568), which implements an incomplete blocklist approach that removes only four HTML element types (script, form, iframe, object) while completely ignoring event handler attributes. When signatures are saved via MailboxesController::updateSave() (app/Http/Controllers/MailboxesController.php:267), dangerous constructs like <img onerror='...'>, <svg onload='...'>, and <details ontoggle='...'> pass through unchanged and persist to the database. The stored payload is then rendered unsafely using Laravel Blade's raw output syntax {!! !!} in editor_bottom_toolbar.blade.php:6 and dynamically re-inserted into the live DOM via jQuery's .html() method at main.js:1789-1790, causing immediate script execution. This is a classic CWE-79 stored XSS vulnerability caused by relying on blocklisting rather than allowlisting for HTML sanitization, combined with unsafe rendering patterns that treat user-controlled data as trusted HTML. The CPE identifier cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:* confirms all versions prior to the 1.8.213 patch are affected.

RemediationAI

Upgrade immediately to FreeScout version 1.8.213 or later, which fixes the vulnerability as documented in the release at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213. The fix is implemented in commit 1d83e1cffb0bf8d109625313530b36b0f5910b3f (https://github.com/freescout-help-desk/freescout/commit/1d83e1cffb0bf8d109625313530b36b0f5910b3f), which replaces the incomplete blocklist-based sanitization with more robust HTML filtering. Organizations unable to patch immediately should implement compensating controls: (1) Audit and temporarily revoke ACCESS_PERM_SIGNATURE (sig) permissions from all non-essential users, limiting signature editing to only highly trusted administrators - this reduces attack surface but impacts operational workflows where agents need signature customization. (2) Implement database-level monitoring for mailbox signature changes and inspect existing signatures for suspicious HTML elements (img, svg, details, video, audio) with event handler attributes (onerror, onload, ontoggle, onmouseover, etc.) - this is labor-intensive and requires manual review of potentially obfuscated payloads. (3) Deploy a Web Application Firewall (WAF) rule to block signature update requests containing common XSS event handlers, though this may be bypassed via encoding or uncommon event types. (4) If using a reverse proxy, strengthen Content Security Policy headers to restrict script-src to 'self' only with nonces, though the advisory notes this is partially effective and can be bypassed in IE11 or weakened by jQuery/module usage. None of these mitigations are complete substitutes for patching; upgrading to 1.8.213 is the only definitive remediation.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-40568 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy