Skip to main content

FreeScout CVE-2026-41904

| EUVDEUVD-2026-28407 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-07 GitHub_M
7.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.6 HIGH
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
May 07, 2026 - 20:02 EUVD
Source Code Evidence Fetched
May 07, 2026 - 19:45 vuln.today
Analysis Generated
May 07, 2026 - 19:45 vuln.today
CVE Published
May 07, 2026 - 18:05 nvd
HIGH 7.6

DescriptionGitHub Advisory

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store an XSS payload in the mailbox auto-reply message. The payload is rendered unescaped in the auto-reply email sent to every customer who contacts the mailbox. Email clients do not enforce CSP, so the payload executes in the customer's webmail / mail-client context. This issue has been patched in version 1.8.217.

AnalysisAI

Stored XSS in FreeScout's auto-reply feature allows authenticated users with updateAutoReply permission to inject malicious scripts that execute in customer email clients. Every customer contacting the affected mailbox receives the weaponized auto-reply email, where the payload executes without CSP protection in webmail or email client contexts. The vulnerability affects FreeScout versions prior to 1.8.217, which contains the vendor-released patch. EPSS data not provided, no CISA KEV listing indicates limited observed exploitation despite the chain-reaction impact potential.

Technical ContextAI

FreeScout is an open-source help desk and shared inbox application built on PHP's Laravel framework. The vulnerability resides in the auto-reply message functionality where user input is stored in the mailbox configuration but rendered without proper output encoding in outbound email HTML. CWE-79 (Cross-Site Scripting) classification indicates insufficient neutralization of input during web page generation. Email clients traditionally lack Content Security Policy enforcement, creating a trust boundary issue where server-side XSS filtering failures propagate directly to client-side execution environments. The CVSS scope change (S:C) reflects this boundary crossing from the FreeScout application context to customer email client contexts.

RemediationAI

Upgrade to FreeScout version 1.8.217 or later, which includes improved sanitization of auto-reply messages per the release notes at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217. The patch implements proper output encoding for auto-reply content before rendering in email HTML. If immediate upgrade is not feasible, restrict updateAutoReply permissions to only highly trusted administrative users and audit existing auto-reply messages for suspicious HTML/JavaScript content. Note that permission restriction does not remediate existing malicious payloads already stored in mailbox configurations-these must be manually reviewed and sanitized. As a compensating control, configure email gateway or client-side filtering to strip script tags from outbound auto-replies, though this may affect legitimate HTML formatting and does not protect customers using permissive email clients.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

CVE-2026-41904 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy