Skip to main content

FreeScout EUVDEUVD-2026-24167

| CVE-2026-40566 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-21 GitHub_M
4.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.1 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

6
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Patch available
Apr 21, 2026 - 18:01 EUVD
Analysis Generated
Apr 21, 2026 - 16:59 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 16:30 euvd
EUVD-2026-24167
Analysis Generated
Apr 21, 2026 - 16:30 vuln.today
CVE Published
Apr 21, 2026 - 16:04 nvd
MEDIUM 4.1

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's MailboxesController. Three AJAX actions fetch_test (line 731), send_test (line 682), and imap_folders (line 773) in app/Http/Controllers/MailboxesController.php pass admin-configured in_server/in_port and out_server/out_port values directly to fsockopen() via Helper::checkPort() and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own sanitizeRemoteUrl() or checkUrlIpAndHost() functions. The validation block in connectionIncomingSave() is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via fsockopen()) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's log field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at 169[.]254[.]169[.]254 can be probed and partial response data may be leaked through protocol error messages. This is distinct from the sanitizeRemoteUrl() redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability.

AnalysisAI

Server-Side Request Forgery (SSRF) in FreeScout versions before 1.8.213 allows authenticated administrators to probe internal networks and fingerprint services via unvalidated IMAP and SMTP connection test functionality. Three AJAX actions in MailboxesController pass attacker-controlled server hostnames and ports directly to fsockopen() and protocol clients without IP validation, hostname restrictions, or internal-range blocklists, enabling port scanning and service banner disclosure through IMAP debug logs and AJAX responses. The vulnerability requires admin authentication but affects confidentiality of internal infrastructure.

Technical ContextAI

FreeScout's mailbox configuration includes IMAP and SMTP server settings that administrators can customize. The vulnerability exists in three AJAX endpoints (fetch_test, send_test, imap_folders) within app/Http/Controllers/MailboxesController.php that call Helper::checkPort() and instantiate IMAP/SMTP client connections using admin-supplied in_server, in_port, out_server, and out_port parameters. These parameters are passed directly to PHP's fsockopen() function and mail protocol libraries without any validation against IP address ranges, private subnets, or localhost. The root cause is absent input validation (CWE-918: Server-Side Request Forgery) combined with commented-out validation logic in connectionIncomingSave(). The codebase includes defensive functions like sanitizeRemoteUrl() and checkUrlIpAndHost() that are deliberately not called in these code paths. In cloud deployments, the metadata endpoint at 169.254.169.254 becomes attackable, potentially leaking credential tokens or instance metadata through protocol error messages captured in debug logs.

RemediationAI

Upgrade FreeScout immediately to version 1.8.213 or later, which includes input validation for IMAP and SMTP server addresses. The patch adds IP validation and hostname restriction logic to the three vulnerable AJAX endpoints. Organizations unable to upgrade immediately should implement network-level compensating controls: restrict outbound TCP connections from the FreeScout server to only authorized mail servers using host-based firewall rules or network segmentation (blocking access to private IP ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, and 169.254.0.0/16), disable the AJAX mailbox test features via web server rules if not in use, and limit admin role assignment to trusted users only. See GitHub security advisory GHSA-fg98-rgx6-8x4g and commit efe82e31b4a0d4c0b20025d09df0615e8139ff08 for implementation details.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-24167 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy