Skip to main content

FreeScout EUVDEUVD-2026-33441

| CVE-2026-45294 MEDIUM
Observable Discrepancy (CWE-203)
2026-05-29 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
May 29, 2026 - 21:02 EUVD
Analysis Generated
May 29, 2026 - 20:35 vuln.today

DescriptionGitHub Advisory

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.

AnalysisAI

FreeScout help desk software prior to version 1.8.219 leaks account existence through its password reset endpoint, enabling unauthenticated remote attackers to enumerate valid helpdesk agent email addresses at scale. The endpoint returns visually distinct responses depending on whether a submitted email is registered, violating CWE-203 (Observable Discrepancy) and creating a reliable reconnaissance channel. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the zero-authentication, low-complexity attack surface makes automated enumeration trivially achievable against any internet-exposed FreeScout instance running a pre-1.8.219 version.

Technical ContextAI

FreeScout is an open-source PHP application built on the Laravel framework, designed as a self-hosted help desk and shared inbox solution. The vulnerable component is the password reset workflow - a standard Laravel authentication feature - which fails to implement a uniform response regardless of whether the submitted email address maps to a real user account. CWE-203 (Observable Discrepancy) identifies the root cause class: the application's differing responses constitute an information side-channel that leaks internal account state to unauthenticated requesters. The CPE string cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:* indicates the wildcard version field, meaning all versions of the freescout-help-desk/freescout package are affected until the fix was introduced in 1.8.219. The CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N precisely captures the scope: network-reachable, no complexity barrier, no credentials required, no user interaction, with limited confidentiality impact restricted to account existence disclosure.

RemediationAI

Vendor-released patch: FreeScout 1.8.219, confirmed by the vendor's GitHub Security Advisory GHSA-jvmv-2qcp-7855 (https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-jvmv-2qcp-7855). Upgrade to version 1.8.219 or later as the primary and definitive fix. If immediate patching is not feasible, implement rate limiting on the password reset endpoint (e.g., via nginx or a WAF rule) to throttle enumeration throughput - note this does not eliminate the information discrepancy but significantly raises the cost of large-scale enumeration and may cause latency for legitimate users who trigger limits. Additionally, restricting network access to the FreeScout instance to trusted IP ranges eliminates external enumeration entirely but is only viable for internal-facing deployments. Neither compensating control is a substitute for upgrading to 1.8.219.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41193 CRITICAL
9.1 Apr 21

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code executio

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

Share

EUVD-2026-33441 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy