Skip to main content

Freescout

54 CVEs product

Monthly

CVE-2026-45294 MEDIUM PATCH This Month

FreeScout help desk software prior to version 1.8.219 leaks account existence through its password reset endpoint, enabling unauthenticated remote attackers to enumerate valid helpdesk agent email addresses at scale. The endpoint returns visually distinct responses depending on whether a submitted email is registered, violating CWE-203 (Observable Discrepancy) and creating a reliable reconnaissance channel. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the zero-authentication, low-complexity attack surface makes automated enumeration trivially achievable against any internet-exposed FreeScout instance running a pre-1.8.219 version.

Information Disclosure Freescout
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-47123 HIGH PATCH This Week

Authentication bypass in FreeScout help desk (versions prior to 1.8.220) allows remote attackers who can spoof an agent's email From address to inject forged replies into customer-facing threads. The FetchEmails command's notification reply path parsed thread_id and user_id directly from the Message-ID without HMAC verification, so spoofed messages were relayed to customers through the legitimate SMTP server. No public exploit identified at time of analysis, but the upstream commit publicly documents the exact missing hash check.

Authentication Bypass Freescout
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-48810 MEDIUM PATCH This Month

Improper authorization in FreeScout's ThreadPolicy::edit method (prior to 1.8.221) allows an authenticated user with PERM_EDIT_CONVERSATIONS to rewrite thread bodies in a mailbox they have been removed from. The policy validates authorship and a global permission flag but omits a current mailbox membership check, meaning revocation of mailbox access does not prevent thread editing by former members. No public exploit has been identified and this is not in CISA KEV; the flaw was discovered as a sibling issue during review of a previously reported ThreadPolicy::delete authorization gap.

Authentication Bypass Freescout
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-48811 MEDIUM PATCH This Month

FreeScout's internal note deletion endpoint allows a low-privileged authenticated user to permanently destroy private thread notes in any conversation, bypassing mailbox membership checks entirely. The ThreadPolicy::delete authorization policy fails to verify whether the requesting user still belongs to the mailbox containing the targeted note - meaning a deprovisioned former team member with a still-active account can erase internal notes they previously created across any conversation. No public exploit has been identified at time of analysis, and this vulnerability is fixed in version 1.8.221.

Authentication Bypass Freescout
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-41906 HIGH PATCH This Week

Privilege escalation in FreeScout allows low-privileged agents to reassign conversations to customers in unauthorized mailboxes. The Change Customer modal enforces mailbox-scoped visibility on the frontend search endpoint, but the backend conversation_change_customer action lacks parallel authorization checks, accepting arbitrary customer_email parameters. An authenticated agent with access to mailbox A can forge requests to bind conversations to customers in mailbox B, bypassing tenant isolation controls. Vendor-released patch version 1.8.214 addresses this authorization bypass alongside four related customer visibility vulnerabilities disclosed concurrently (GHSA-mv55-3mgv-fxwr, GHSA-wjw4-8xg6-342m, GHSA-9ff4-mmhv-x6jp, GHSA-674v-r6xp-mvp6). No active exploitation confirmed (not in CISA KEV); CVSS 7.1 reflects network vector with low complexity but requires authenticated agent credentials.

Authentication Bypass Freescout
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-41904 HIGH PATCH This Week

Stored XSS in FreeScout's auto-reply feature allows authenticated users with updateAutoReply permission to inject malicious scripts that execute in customer email clients. Every customer contacting the affected mailbox receives the weaponized auto-reply email, where the payload executes without CSP protection in webmail or email client contexts. The vulnerability affects FreeScout versions prior to 1.8.217, which contains the vendor-released patch. EPSS data not provided, no CISA KEV listing indicates limited observed exploitation despite the chain-reaction impact potential.

XSS Freescout
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-41902 CRITICAL PATCH Act Now

{hash} endpoint accepts 60-character invite_hash values with no time-based expiration, remaining valid indefinitely until consumed. Attackers who obtain leaked invite links through forwarded emails, HTTP referrer logs, CDN access logs, or archived messages can set passwords for target accounts months or years post-issuance. CVSS 9.1 (Critical) with network vector and no authentication required. Patched in version 1.8.217 with 7-day invite expiration. EPSS and KEV data not available; no public exploit code identified at time of analysis.

Information Disclosure Freescout
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-41903 MEDIUM PATCH This Month

FreeScout versions prior to 1.8.217 allow authenticated users with PERM_EDIT_USERS permission to read and modify notification subscriptions of any other user, including administrators, via a single POST request. This authorization bypass enables attackers to silently disable admin notifications, suppressing security alerts and conversation assignments without detection. The vulnerability is a sibling of CVE-2025-48472, indicating incomplete patching of a related code path.

Authentication Bypass Freescout
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41194 MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in FreeScout prior to version 1.8.215 allows unauthenticated remote attackers to disconnect OAuth integrations from a mailbox by tricking a logged-in admin into visiting a malicious web page, resulting in loss of email synchronization and potential service disruption. The vulnerability stems from the OAuth disconnect endpoint using GET HTTP method without CSRF token validation, enabling attackers to craft simple links or embed requests in third-party sites to trigger account modifications.

CSRF Freescout
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-41193 CRITICAL PATCH Act Now

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code execution by uploading malicious ZIP archives during module installation. The path traversal vulnerability (CWE-22) enables attackers to write files to any location on the server filesystem, including web-accessible directories where PHP shells can be placed. With CVSS 9.1 (Critical) and EPSS data not provided, the primary risk factor is the changed scope (S:C) indicating potential container/hosting infrastructure compromise beyond the application itself. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis, though the fix commit provides implementation details that could facilitate exploit development.

Path Traversal Freescout
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-41192 HIGH PATCH This Week

Authenticated mailbox users can delete arbitrary conversation attachments in FreeScout versions prior to 1.8.215 by replaying encrypted attachment IDs through the draft-saving API. The vulnerability exploits insufficient authorization checks in the reply/draft workflows, allowing peers with legitimate conversation access to extract encrypted attachment IDs via load_attachments, then submit those IDs through save_draft to trigger deletion of attachments they should not control. With CVSS 7.1 (AV:N/AC:L/PR:L) and EPSS data unavailable, risk depends heavily on whether attackers have mailbox credentials and access to shared conversations. GitHub commit 5f182818e confirms the fix validates attachment ownership before deletion.

Authentication Bypass Freescout
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-40567 MEDIUM PATCH This Month

{%customer.fullName%} template variable in reply emails, enabling attackers to embed phishing links, tracking pixels, and spoofed content in emails sent from the organization's legitimate address. No public exploit code identified at time of analysis.

Code Injection Freescout
NVD GitHub
CVSS 3.1
5.8
EPSS
0.0%
CVE-2026-40498 HIGH PATCH This Week

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213, exploiting a predictable MD5 hash derived from the exposed APP_KEY. Attackers can harvest sensitive server information (full path disclosure, process IDs) and trigger resource exhaustion denial-of-service by repeatedly invoking unprotected background tasks. The vulnerability has publicly available exploit code (CVSS E:P), making it immediately actionable for attackers. EPSS data not provided, but the combination of network exposure (AV:N), no authentication required (PR:N), and confirmed POC significantly elevates real-world risk for internet-facing FreeScout installations.

Denial Of Service Information Disclosure Freescout
NVD GitHub
CVSS 4.0
8.9
EPSS
0.0%
CVE-2026-40497 HIGH PATCH This Week

CSS injection in FreeScout mailbox signatures enables CSRF token exfiltration and privilege escalation from authenticated agents to administrators. The vulnerability exists in FreeScout versions prior to 1.8.213 where incomplete input sanitization fails to strip <style> tags from mailbox signature fields. Attackers with mailbox configuration access leverage CSS attribute selectors to steal CSRF tokens from viewing users, then perform arbitrary state-changing actions including admin account creation. EPSS data not available; no confirmed active exploitation (CISA KEV absent). Vendor patch released in version 1.8.213 with complete fix addressing previous incomplete remediation (GHSA-jqjf-f566-485j).

XSS Privilege Escalation CSRF Freescout
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-40496 HIGH PATCH This Week

Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attachments by forging MD5-based download tokens. The predictable formula (md5(APP_KEY + sequential_attachment_id + guessable_size)) enables enumeration of all stored attachments without credentials. CVSS 8.8 reflects high confidentiality and integrity impact via network vector with no authentication required. EPSS data not provided. Proof-of-concept exploitation exists (E:P in CVSS vector). Vendor-released patch version 1.8.213 available via GitHub.

Information Disclosure Freescout
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.0%
CVE-2026-35584 MEDIUM PATCH This Month

{conversation_id}/{thread_id} endpoint. The endpoint fails to verify both authentication and thread-conversation association, enabling complete enumeration of help desk conversations and metadata manipulation without credentials. This affects all FreeScout installations below version 1.8.212.

Authentication Bypass Freescout
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-39384 HIGH PATCH This Week

Unauthorized cross-customer data access in FreeScout help desk software versions prior to 1.8.212 allows authenticated users with low privileges to bypass customer visibility restrictions during merge operations. The limit_user_customer_visibility parameter-intended to restrict agents' access to specific customers-is ignored when merging customer records, enabling agents to view and manipulate data outside their authorized scope. CVSS 7.6 (High) with network-based attack vector and low complexity. No public exploit identified at time of analysis, EPSS data not provided.

Authentication Bypass Freescout
NVD GitHub
CVSS 3.1
7.6
EPSS
0.0%
CVE-2026-32754 CRITICAL Act Now

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, where malicious email content is stored unsanitized and executed when email notifications are sent to agents. An unauthenticated attacker can exploit this by simply sending a specially crafted email that executes malicious scripts when viewed by support staff in their email clients, potentially leading to session hijacking, credential theft, and account takeover. The vulnerability has a critical CVSS score of 9.3 due to its ease of exploitation and broad impact across all notification recipients.

XSS Freescout
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.1%
CVE-2026-32753 MEDIUM This Month

Stored XSS in FreeScout 1.8.208 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading a malicious SVG file with a .png extension and image/svg+xml content type, bypassing both the attachment view logic and SVG sanitizer. The vulnerability exploits a fallback mechanism that unsafely processes invalid XML, enabling script execution when the file is rendered inline. An attacker with upload permissions can compromise other users' sessions and data through this cross-site scripting attack.

XSS Freescout
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32752 NONE PATCH Awaiting Data

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework.

Authentication Bypass Freescout
NVD GitHub VulDB
EPSS
0.0%
CVE-2026-28289 CRITICAL POC PATCH Act Now

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

PHP Laravel RCE Race Condition Freescout
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-27637 CRITICAL POC PATCH Act Now

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers to predict reset tokens and take over accounts. PoC and patch available.

Laravel Freescout
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-27636 HIGH POC PATCH Act Now

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration.

Apache PHP Laravel RCE Freescout
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2025-58163 HIGH POC PATCH This Week

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Deserialization RCE Freescout
NVD GitHub
CVSS 4.0
8.6
EPSS
1.0%
CVE-2025-48880 MEDIUM POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Race Condition Freescout
NVD GitHub
CVSS 4.0
5.1
EPSS
0.3%
CVE-2025-48875 MEDIUM POC PATCH Monitor

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available.

XSS Freescout
NVD GitHub
CVSS 4.0
4.6
EPSS
0.2%
CVE-2025-48489 MEDIUM POC Monitor

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
CVSS 4.0
4.6
EPSS
0.1%
CVE-2025-48488 MEDIUM POC Monitor

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
CVSS 4.0
4.6
EPSS
0.2%
CVE-2025-48487 MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
CVSS 4.0
6.0
EPSS
0.2%
CVE-2025-48486 MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
CVSS 4.0
6.1
EPSS
0.2%
CVE-2025-48485 MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
CVSS 4.0
6.1
EPSS
0.2%
CVE-2025-48484 MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
CVSS 4.0
4.6
EPSS
0.2%
CVE-2025-48483 MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure CSRF XSS Freescout
NVD GitHub
CVSS 4.0
6.3
EPSS
0.1%
CVE-2025-48482 MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2025-48481 MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
CVSS 4.0
6.1
EPSS
0.1%
CVE-2025-48480 HIGH POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2025-48479 HIGH POC This Week

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
CVSS 4.0
8.5
EPSS
0.1%
CVE-2025-48478 HIGH POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Freescout
NVD GitHub
CVSS 4.0
7.0
EPSS
0.1%
CVE-2025-48477 HIGH POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2025-48476 HIGH POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
CVSS 4.0
7.1
EPSS
0.1%
CVE-2025-48475 MEDIUM POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Freescout
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-48474 MEDIUM POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Freescout
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-48473 MEDIUM POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Freescout
NVD GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2025-48472 MEDIUM POC PATCH This Week

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Freescout
NVD GitHub
CVSS 4.0
6.9
EPSS
0.2%
CVE-2025-48471 HIGH POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache RCE File Upload Freescout
NVD GitHub
CVSS 4.0
7.0
EPSS
2.9%
CVE-2025-48390 HIGH POC PATCH This Week

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE PHP Code Injection Freescout
NVD GitHub
CVSS 4.0
8.6
EPSS
1.3%
CVE-2025-48389 HIGH POC PATCH This Week

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Deserialization Freescout
NVD GitHub
CVSS 4.0
8.6
EPSS
4.0%
CVE-2025-48388 HIGH PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Freescout
NVD GitHub
CVSS 4.0
7.0
EPSS
0.3%
CVE-2024-34698 MEDIUM POC PATCH This Month

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Prototype Pollution XSS Freescout
NVD GitHub
CVSS 3.1
6.3
EPSS
0.5%
CVE-2024-34697 MEDIUM POC PATCH This Month

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Freescout
NVD GitHub
CVSS 3.1
6.1
EPSS
0.6%
CVE-2024-29185 CRITICAL POC Act Now

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

PHP Command Injection Freescout
NVD GitHub
CVSS 3.1
9.0
EPSS
1.7%
CVE-2024-29184 HIGH POC This Week

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
CVSS 3.1
8.0
EPSS
0.9%
CVE-2024-28186 HIGH POC PATCH This Week

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Microsoft Freescout
NVD GitHub
CVSS 3.1
7.1
EPSS
0.6%
CVE-2024-1932 MEDIUM POC This Month

Unrestricted Upload of File with Dangerous Type in freescout-helpdesk/freescout. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Freescout
NVD
CVSS 3.1
4.8
EPSS
0.4%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

FreeScout help desk software prior to version 1.8.219 leaks account existence through its password reset endpoint, enabling unauthenticated remote attackers to enumerate valid helpdesk agent email addresses at scale. The endpoint returns visually distinct responses depending on whether a submitted email is registered, violating CWE-203 (Observable Discrepancy) and creating a reliable reconnaissance channel. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the zero-authentication, low-complexity attack surface makes automated enumeration trivially achievable against any internet-exposed FreeScout instance running a pre-1.8.219 version.

Information Disclosure Freescout
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authentication bypass in FreeScout help desk (versions prior to 1.8.220) allows remote attackers who can spoof an agent's email From address to inject forged replies into customer-facing threads. The FetchEmails command's notification reply path parsed thread_id and user_id directly from the Message-ID without HMAC verification, so spoofed messages were relayed to customers through the legitimate SMTP server. No public exploit identified at time of analysis, but the upstream commit publicly documents the exact missing hash check.

Authentication Bypass Freescout
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Improper authorization in FreeScout's ThreadPolicy::edit method (prior to 1.8.221) allows an authenticated user with PERM_EDIT_CONVERSATIONS to rewrite thread bodies in a mailbox they have been removed from. The policy validates authorship and a global permission flag but omits a current mailbox membership check, meaning revocation of mailbox access does not prevent thread editing by former members. No public exploit has been identified and this is not in CISA KEV; the flaw was discovered as a sibling issue during review of a previously reported ThreadPolicy::delete authorization gap.

Authentication Bypass Freescout
NVD GitHub VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

FreeScout's internal note deletion endpoint allows a low-privileged authenticated user to permanently destroy private thread notes in any conversation, bypassing mailbox membership checks entirely. The ThreadPolicy::delete authorization policy fails to verify whether the requesting user still belongs to the mailbox containing the targeted note - meaning a deprovisioned former team member with a still-active account can erase internal notes they previously created across any conversation. No public exploit has been identified at time of analysis, and this vulnerability is fixed in version 1.8.221.

Authentication Bypass Freescout
NVD GitHub VulDB
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Privilege escalation in FreeScout allows low-privileged agents to reassign conversations to customers in unauthorized mailboxes. The Change Customer modal enforces mailbox-scoped visibility on the frontend search endpoint, but the backend conversation_change_customer action lacks parallel authorization checks, accepting arbitrary customer_email parameters. An authenticated agent with access to mailbox A can forge requests to bind conversations to customers in mailbox B, bypassing tenant isolation controls. Vendor-released patch version 1.8.214 addresses this authorization bypass alongside four related customer visibility vulnerabilities disclosed concurrently (GHSA-mv55-3mgv-fxwr, GHSA-wjw4-8xg6-342m, GHSA-9ff4-mmhv-x6jp, GHSA-674v-r6xp-mvp6). No active exploitation confirmed (not in CISA KEV); CVSS 7.1 reflects network vector with low complexity but requires authenticated agent credentials.

Authentication Bypass Freescout
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Stored XSS in FreeScout's auto-reply feature allows authenticated users with updateAutoReply permission to inject malicious scripts that execute in customer email clients. Every customer contacting the affected mailbox receives the weaponized auto-reply email, where the payload executes without CSP protection in webmail or email client contexts. The vulnerability affects FreeScout versions prior to 1.8.217, which contains the vendor-released patch. EPSS data not provided, no CISA KEV listing indicates limited observed exploitation despite the chain-reaction impact potential.

XSS Freescout
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

{hash} endpoint accepts 60-character invite_hash values with no time-based expiration, remaining valid indefinitely until consumed. Attackers who obtain leaked invite links through forwarded emails, HTTP referrer logs, CDN access logs, or archived messages can set passwords for target accounts months or years post-issuance. CVSS 9.1 (Critical) with network vector and no authentication required. Patched in version 1.8.217 with 7-day invite expiration. EPSS and KEV data not available; no public exploit code identified at time of analysis.

Information Disclosure Freescout
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

FreeScout versions prior to 1.8.217 allow authenticated users with PERM_EDIT_USERS permission to read and modify notification subscriptions of any other user, including administrators, via a single POST request. This authorization bypass enables attackers to silently disable admin notifications, suppressing security alerts and conversation assignments without detection. The vulnerability is a sibling of CVE-2025-48472, indicating incomplete patching of a related code path.

Authentication Bypass Freescout
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Cross-site request forgery (CSRF) in FreeScout prior to version 1.8.215 allows unauthenticated remote attackers to disconnect OAuth integrations from a mailbox by tricking a logged-in admin into visiting a malicious web page, resulting in loss of email synchronization and potential service disruption. The vulnerability stems from the OAuth disconnect endpoint using GET HTTP method without CSRF token validation, enabling attackers to craft simple links or embed requests in third-party sites to trigger account modifications.

CSRF Freescout
NVD GitHub
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code execution by uploading malicious ZIP archives during module installation. The path traversal vulnerability (CWE-22) enables attackers to write files to any location on the server filesystem, including web-accessible directories where PHP shells can be placed. With CVSS 9.1 (Critical) and EPSS data not provided, the primary risk factor is the changed scope (S:C) indicating potential container/hosting infrastructure compromise beyond the application itself. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis, though the fix commit provides implementation details that could facilitate exploit development.

Path Traversal Freescout
NVD GitHub
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Authenticated mailbox users can delete arbitrary conversation attachments in FreeScout versions prior to 1.8.215 by replaying encrypted attachment IDs through the draft-saving API. The vulnerability exploits insufficient authorization checks in the reply/draft workflows, allowing peers with legitimate conversation access to extract encrypted attachment IDs via load_attachments, then submit those IDs through save_draft to trigger deletion of attachments they should not control. With CVSS 7.1 (AV:N/AC:L/PR:L) and EPSS data unavailable, risk depends heavily on whether attackers have mailbox credentials and access to shared conversations. GitHub commit 5f182818e confirms the fix validates attachment ownership before deletion.

Authentication Bypass Freescout
NVD GitHub
EPSS 0% CVSS 5.8
MEDIUM PATCH This Month

{%customer.fullName%} template variable in reply emails, enabling attackers to embed phishing links, tracking pixels, and spoofed content in emails sent from the organization's legitimate address. No public exploit code identified at time of analysis.

Code Injection Freescout
NVD GitHub
EPSS 0% CVSS 8.9
HIGH PATCH This Week

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213, exploiting a predictable MD5 hash derived from the exposed APP_KEY. Attackers can harvest sensitive server information (full path disclosure, process IDs) and trigger resource exhaustion denial-of-service by repeatedly invoking unprotected background tasks. The vulnerability has publicly available exploit code (CVSS E:P), making it immediately actionable for attackers. EPSS data not provided, but the combination of network exposure (AV:N), no authentication required (PR:N), and confirmed POC significantly elevates real-world risk for internet-facing FreeScout installations.

Denial Of Service Information Disclosure Freescout
NVD GitHub
EPSS 0% CVSS 8.1
HIGH PATCH This Week

CSS injection in FreeScout mailbox signatures enables CSRF token exfiltration and privilege escalation from authenticated agents to administrators. The vulnerability exists in FreeScout versions prior to 1.8.213 where incomplete input sanitization fails to strip <style> tags from mailbox signature fields. Attackers with mailbox configuration access leverage CSS attribute selectors to steal CSRF tokens from viewing users, then perform arbitrary state-changing actions including admin account creation. EPSS data not available; no confirmed active exploitation (CISA KEV absent). Vendor patch released in version 1.8.213 with complete fix addressing previous incomplete remediation (GHSA-jqjf-f566-485j).

XSS Privilege Escalation CSRF +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attachments by forging MD5-based download tokens. The predictable formula (md5(APP_KEY + sequential_attachment_id + guessable_size)) enables enumeration of all stored attachments without credentials. CVSS 8.8 reflects high confidentiality and integrity impact via network vector with no authentication required. EPSS data not provided. Proof-of-concept exploitation exists (E:P in CVSS vector). Vendor-released patch version 1.8.213 available via GitHub.

Information Disclosure Freescout
NVD GitHub VulDB
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

{conversation_id}/{thread_id} endpoint. The endpoint fails to verify both authentication and thread-conversation association, enabling complete enumeration of help desk conversations and metadata manipulation without credentials. This affects all FreeScout installations below version 1.8.212.

Authentication Bypass Freescout
NVD GitHub
EPSS 0% CVSS 7.6
HIGH PATCH This Week

Unauthorized cross-customer data access in FreeScout help desk software versions prior to 1.8.212 allows authenticated users with low privileges to bypass customer visibility restrictions during merge operations. The limit_user_customer_visibility parameter-intended to restrict agents' access to specific customers-is ignored when merging customer records, enabling agents to view and manipulate data outside their authorized scope. CVSS 7.6 (High) with network-based attack vector and low complexity. No public exploit identified at time of analysis, EPSS data not provided.

Authentication Bypass Freescout
NVD GitHub
EPSS 0% CVSS 9.3
CRITICAL Act Now

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, where malicious email content is stored unsanitized and executed when email notifications are sent to agents. An unauthenticated attacker can exploit this by simply sending a specially crafted email that executes malicious scripts when viewed by support staff in their email clients, potentially leading to session hijacking, credential theft, and account takeover. The vulnerability has a critical CVSS score of 9.3 due to its ease of exploitation and broad impact across all notification recipients.

XSS Freescout
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Stored XSS in FreeScout 1.8.208 and earlier allows authenticated attackers to execute arbitrary JavaScript in victims' browsers by uploading a malicious SVG file with a .png extension and image/svg+xml content type, bypassing both the attachment view logic and SVG sanitizer. The vulnerability exploits a fallback mechanism that unsafely processes invalid XML, enabling script execution when the file is rendered inline. An attacker with upload permissions can compromise other users' sessions and data through this cross-site scripting attack.

XSS Freescout
NVD GitHub VulDB
EPSS 0%
NONE PATCH Awaiting Data

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework.

Authentication Bypass Freescout
NVD GitHub VulDB
EPSS 0% CVSS 10.0
CRITICAL POC PATCH Act Now

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

PHP Laravel RCE +2
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL POC PATCH Act Now

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers to predict reset tokens and take over accounts. PoC and patch available.

Laravel Freescout
NVD GitHub
EPSS 0% CVSS 8.8
HIGH POC PATCH Act Now

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with `AllowOverride All` enabled. Public exploit code exists for this vulnerability. The attack requires valid user credentials but affects all FreeScout installations using the vulnerable PHP Laravel framework configuration.

Apache PHP Laravel +2
NVD GitHub
EPSS 1% CVSS 8.6
HIGH POC PATCH This Week

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

PHP Deserialization RCE +1
NVD GitHub
EPSS 0% CVSS 5.1
MEDIUM POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Race Condition Freescout
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC PATCH Monitor

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available.

XSS Freescout
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC Monitor

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC Monitor

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
EPSS 0% CVSS 6.0
MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
EPSS 0% CVSS 4.6
MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 4.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure CSRF XSS +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
EPSS 0% CVSS 6.1
MEDIUM POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
EPSS 0% CVSS 7.0
HIGH POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
EPSS 0% CVSS 8.5
HIGH POC This Week

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
EPSS 0% CVSS 7.0
HIGH POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Information Disclosure Freescout
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
EPSS 0% CVSS 7.1
HIGH POC This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Freescout
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Freescout
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Freescout
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Freescout
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM POC PATCH This Week

FreeScout is a free self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Freescout
NVD GitHub
EPSS 3% CVSS 7.0
HIGH POC PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache RCE File Upload +1
NVD GitHub
EPSS 1% CVSS 8.6
HIGH POC PATCH This Week

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE PHP Code Injection +1
NVD GitHub
EPSS 4% CVSS 8.6
HIGH POC PATCH This Week

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

RCE Deserialization Freescout
NVD GitHub
EPSS 0% CVSS 7.0
HIGH PATCH This Month

FreeScout is a free self-hosted help desk and shared mailbox. Rated high severity (CVSS 7.0), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Freescout
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM POC PATCH This Month

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Prototype Pollution XSS Freescout
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Code Injection Freescout
NVD GitHub
EPSS 2% CVSS 9.0
CRITICAL POC Act Now

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.

PHP Command Injection Freescout
NVD GitHub
EPSS 1% CVSS 8.0
HIGH POC This Week

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Freescout
NVD GitHub
EPSS 1% CVSS 7.1
HIGH POC PATCH This Week

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Microsoft Freescout
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM POC This Month

Unrestricted Upload of File with Dangerous Type in freescout-helpdesk/freescout. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

File Upload Freescout
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy