Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.
AnalysisAI
FreeScout help desk software prior to version 1.8.219 leaks account existence through its password reset endpoint, enabling unauthenticated remote attackers to enumerate valid helpdesk agent email addresses at scale. The endpoint returns visually distinct responses depending on whether a submitted email is registered, violating CWE-203 (Observable Discrepancy) and creating a reliable reconnaissance channel. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the zero-authentication, low-complexity attack surface makes automated enumeration trivially achievable against any internet-exposed FreeScout instance running a pre-1.8.219 version.
Technical ContextAI
FreeScout is an open-source PHP application built on the Laravel framework, designed as a self-hosted help desk and shared inbox solution. The vulnerable component is the password reset workflow - a standard Laravel authentication feature - which fails to implement a uniform response regardless of whether the submitted email address maps to a real user account. CWE-203 (Observable Discrepancy) identifies the root cause class: the application's differing responses constitute an information side-channel that leaks internal account state to unauthenticated requesters. The CPE string cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:* indicates the wildcard version field, meaning all versions of the freescout-help-desk/freescout package are affected until the fix was introduced in 1.8.219. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N precisely captures the scope: network-reachable, no complexity barrier, no credentials required, no user interaction, with limited confidentiality impact restricted to account existence disclosure.
RemediationAI
Vendor-released patch: FreeScout 1.8.219, confirmed by the vendor's GitHub Security Advisory GHSA-jvmv-2qcp-7855 (https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-jvmv-2qcp-7855). Upgrade to version 1.8.219 or later as the primary and definitive fix. If immediate patching is not feasible, implement rate limiting on the password reset endpoint (e.g., via nginx or a WAF rule) to throttle enumeration throughput - note this does not eliminate the information discrepancy but significantly raises the cost of large-scale enumeration and may cause latency for legitimate users who trigger limits. Additionally, restricting network access to the FreeScout instance to trusted IP ranges eliminates external enumeration entirely but is only viable for internal-facing deployments. Neither compensating control is a substitute for upgrading to 1.8.219.
File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.
Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that
Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers
FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot
FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely
FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r
FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r
A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe
Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio
Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access
Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,
Same weakness CWE-203 – Observable Discrepancy
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33441