Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of image/svg+xml is allowed, and a fallback mechanism on invalid XML leads to unsafe sanitization. The application restricts which uploaded files are rendered inline: only files considered "safe" are displayed in the browser; others are served with Content-Disposition: attachment. This decision is based on two checks: the file extension (e.g. .png is allowed, while .svg may not be) and the declared Content-Type (e.g. image/* is allowed). By using a filename with an allowed extension (e.g. xss.png) and a Content-Type of image/svg+xml, an attacker can satisfy both checks and cause the server to treat the upload as a safe image and render it inline, even though the body is SVG and can contain scripted behavior. Any authenticated user can set up a specific URL, and whenever another user or administrator visits it, XSS can perform any action on their behalf. This issue has been fixed in version 1.8.209.
Published: 2026-03-19
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that enables an authenticated user to embed malicious JavaScript via an SVG file treated as a safe image, allowing script execution in other users' browsers.
Action: Patch Now
AI Analysis

Impact

FreeScout versions 1.8.208 and earlier contain a stored cross‑site scripting flaw that allows an authenticated user to upload a file named with a harmless image extension, such as .png, but with a MIME type of image/svg+xml. The upload logic checks only the extension and the MIME type, so the server treats the file as a safe inline image; however, the SVG body can contain embedded JavaScript. When another user or administrator opens the link to the uploaded file, the malicious script runs in their browser, enabling the attacker to perform arbitrary actions on their behalf.

Affected Systems

The vulnerability applies to the free help‑desk software Freescout from the vendor freescout‑help‑desk. All releases up to and including version 1.8.208 are affected; versions 1.8.209 and newer include the fix.

Risk and Exploitability

The CVSS base score is 8.5, indicating high severity. The EPSS score is below 1 %, suggesting a low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog. To exploit the flaw an attacker must first be an authenticated user who uploads the crafted file; any subsequent user – for example an administrator – who opens the link to the uploaded file will have the malicious script executed in their browser. The execution grants the attacker full control over that user’s session, enabling data theft, session hijacking, and unauthorized actions within the application.

Generated by OpenCVE AI on March 23, 2026 at 20:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeScout to version 1.8.209 or later.
  • Verify that all installations are running the patched version.
  • If SVG uploads are not required, disable SVG file uploads or enforce stricter MIME type validation.

Generated by OpenCVE AI on March 23, 2026 at 20:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 20 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Thu, 19 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of image/svg+xml is allowed, and a fallback mechanism on invalid XML leads to unsafe sanitization. The application restricts which uploaded files are rendered inline: only files considered "safe" are displayed in the browser; others are served with Content-Disposition: attachment. This decision is based on two checks: the file extension (e.g. .png is allowed, while .svg may not be) and the declared Content-Type (e.g. image/* is allowed). By using a filename with an allowed extension (e.g. xss.png) and a Content-Type of image/svg+xml, an attacker can satisfy both checks and cause the server to treat the upload as a safe image and render it inline, even though the body is SVG and can contain scripted behavior. Any authenticated user can set up a specific URL, and whenever another user or administrator visits it, XSS can perform any action on their behalf. This issue has been fixed in version 1.8.209.
Title FreeScout: Stored XSS through SVG file upload with filter bypass
Weaknesses CWE-80
References
Metrics cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T20:16:50.749Z

Reserved: 2026-03-13T18:53:03.532Z

Link: CVE-2026-32753

cve-icon Vulnrichment

Updated: 2026-03-20T20:16:47.554Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:41.827

Modified: 2026-03-23T19:25:21.127

Link: CVE-2026-32753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:43Z

Weaknesses