Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store an XSS payload in the mailbox auto-reply message. The payload is rendered unescaped in the auto-reply email sent to every customer who contacts the mailbox. Email clients do not enforce CSP, so the payload executes in the customer's webmail / mail-client context. This issue has been patched in version 1.8.217.
AnalysisAI
Stored XSS in FreeScout's auto-reply feature allows authenticated users with updateAutoReply permission to inject malicious scripts that execute in customer email clients. Every customer contacting the affected mailbox receives the weaponized auto-reply email, where the payload executes without CSP protection in webmail or email client contexts. The vulnerability affects FreeScout versions prior to 1.8.217, which contains the vendor-released patch. EPSS data not provided, no CISA KEV listing indicates limited observed exploitation despite the chain-reaction impact potential.
Technical ContextAI
FreeScout is an open-source help desk and shared inbox application built on PHP's Laravel framework. The vulnerability resides in the auto-reply message functionality where user input is stored in the mailbox configuration but rendered without proper output encoding in outbound email HTML. CWE-79 (Cross-Site Scripting) classification indicates insufficient neutralization of input during web page generation. Email clients traditionally lack Content Security Policy enforcement, creating a trust boundary issue where server-side XSS filtering failures propagate directly to client-side execution environments. The CVSS scope change (S:C) reflects this boundary crossing from the FreeScout application context to customer email client contexts.
RemediationAI
Upgrade to FreeScout version 1.8.217 or later, which includes improved sanitization of auto-reply messages per the release notes at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217. The patch implements proper output encoding for auto-reply content before rendering in email HTML. If immediate upgrade is not feasible, restrict updateAutoReply permissions to only highly trusted administrative users and audit existing auto-reply messages for suspicious HTML/JavaScript content. Note that permission restriction does not remediate existing malicious payloads already stored in mailbox configurations-these must be manually reviewed and sanitized. As a compensating control, configure email gateway or client-side filtering to strip script tags from outbound auto-replies, though this may affect legitimate HTML formatting and does not protect customers using permissive email clients.
File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that
Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers
FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot
FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely
FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio
Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28407