EUVD-2026-24221CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
3DescriptionNVD
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in attachments_all[] but omitted from retained lists are decrypted and passed directly to Attachment::deleteByIds(). Because load_attachments returns encrypted IDs for attachments on a visible conversation, a mailbox peer can replay those IDs through save_draft and delete the original attachment row and file. Version 1.8.215 fixes the vulnerability.
AnalysisAI
Authenticated mailbox users can delete arbitrary conversation attachments in FreeScout versions prior to 1.8.215 by replaying encrypted attachment IDs through the draft-saving API. The vulnerability exploits insufficient authorization checks in the reply/draft workflows, allowing peers with legitimate conversation access to extract encrypted attachment IDs via load_attachments, then submit those IDs through save_draft to trigger deletion of attachments they should not control. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all FreeScout instances and document current version numbers; restrict mailbox access to trusted administrators if possible. Within 7 days: Upgrade all FreeScout deployments to version 1.8.215 or later; test draft-saving and attachment workflows post-upgrade. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today