Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered unescaped in outgoing email notifications using Blade's raw output syntax {!! $thread->body !!}. An unauthenticated attacker can exploit this vulnerability by simply sending an email, and when opened by any subscribed agent or admin as part of their normal workflow, enabling universal HTML injection (phishing, tracking) and, in vulnerable email clients, JavaScript execution (session hijacking, credential theft, account takeover) affecting all recipients simultaneously. This issue has been fixed in version 1.8.209.
Published: 2026-03-19
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting that allows insertion of arbitrary HTML and potential JavaScript execution in email notifications, risking session hijacking and credential theft
Action: Immediate Patch
AI Analysis

Impact

FreeScout versions 1.8.208 and earlier store incoming email bodies in the database without sanitization and later render them unescaped in outgoing email notifications using Blade’s raw output syntax {!! $thread->body !!}. This creates a stored Cross‑Site Scripting vulnerability that allows an attacker to inject arbitrary HTML and, if executed by an email client that supports JavaScript, to run scripts that could hijack sessions or steal credentials. The weakness is identified as CWE‑116 and CWE‑79.

Affected Systems

The affected product is FreeScout, a PHP‑based help desk and shared inbox platform developed by freescout‑help‑desk. Versions 1.8.208 and below are vulnerable; the issue is addressed in 1.8.209 and later. The flaw exists in the email template rendering path that processes incoming messages and inserts the raw body into outgoing notification emails. All agents, administrators, and any user who views the generated notification are potentially exposed to the malicious content.

Risk and Exploitability

The CVSS score of 9.3 classifies this flaw as critical. Although the EPSS score is below 1%, indicating a low current exploitation likelihood, the vulnerability is not listed in the CISA KEV catalog. An attacker does not require authentication to exploit the flaw—they can send a malicious email that is stored unchanged, and when any subscribed user opens the resulting notification email, the embedded content is rendered. This simplicity and lack of prerequisite make the attack straightforward in a typical deployment. Administrators should prioritize applying the fix to remove the risk entirely.

Generated by OpenCVE AI on March 23, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeScout to version 1.8.209 or newer

Generated by OpenCVE AI on March 23, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout

Fri, 20 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Thu, 19 Mar 2026 21:45:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered unescaped in outgoing email notifications using Blade's raw output syntax {!! $thread->body !!}. An unauthenticated attacker can exploit this vulnerability by simply sending an email, and when opened by any subscribed agent or admin as part of their normal workflow, enabling universal HTML injection (phishing, tracking) and, in vulnerable email clients, JavaScript execution (session hijacking, credential theft, account takeover) affecting all recipients simultaneously. This issue has been fixed in version 1.8.209.
Title FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!})
Weaknesses CWE-116
CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:52:18.644Z

Reserved: 2026-03-13T18:53:03.532Z

Link: CVE-2026-32754

cve-icon Vulnrichment

Updated: 2026-03-20T18:51:57.023Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-19T22:16:41.997

Modified: 2026-03-23T19:14:38.140

Link: CVE-2026-32754

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:54:41Z

Weaknesses