Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version (http://localhost:8080/system/status) allows an attacker to inject an arbitrary domain into generated absolute URLs. This leads to External Resource Loading and Open Redirect behavior. When the application constructs links and assets using the unvalidated Host header, user requests can be redirected to attacker-controlled domains and external resources may be loaded from malicious servers. This issue has been patched in version 1.8.211.
Published: 2026-03-31
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect with External Resource Loading
Action: Patch now
AI Analysis

Impact

FreeScout accepts the Host header from incoming HTTP requests without validation and incorporates it into generated absolute URLs. An attacker can alter the Host header to an arbitrary domain, causing the application to build links and load assets that point to malicious servers. This results in open redirect behavior that can redirect users to phishing or malware sites and enables the loading of external resources, potentially exfiltrating data or executing code in the user’s browser. The weakness combines Host Header Injection (CWE‑20) with Open Redirect (CWE‑601) and unauthorized resource access (CWE‑829).

Affected Systems

The vulnerability exists in the FreeScout help desk product for all releases prior to version 1.8.211. Users deploying freescout-help-desk:freescout must verify that their installation is newer than this release to ensure the issue is addressed.

Risk and Exploitability

The CVSS base score of 5.4 indicates moderate severity, and the EPSS score of less than 1% suggests low likelihood of exploitation in the wild. The issue is not listed in the CISA KEV catalog. An attacker needs only to craft a HTTP request with a modified Host header, a relatively simple requirement that can be automated. Because Host header manipulation can be performed from any external source, the risk to systems that are exposed to the internet is real, but the probability of a large-scale attack remains low given the expert knowledge required to exploit the flaw.

Generated by OpenCVE AI on April 2, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading to FreeScout 1.8.211 or a later release.
  • If immediate upgrade is not possible, configure the web server or application to reject or sanitize the Host header before it is used to generate URLs.
  • Monitor incoming requests for anomalous Host header values and review access logs for possible redirection attempts.

Generated by OpenCVE AI on April 2, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version (http://localhost:8080/system/status) allows an attacker to inject an arbitrary domain into generated absolute URLs. This leads to External Resource Loading and Open Redirect behavior. When the application constructs links and assets using the unvalidated Host header, user requests can be redirected to attacker-controlled domains and external resources may be loaded from malicious servers. This issue has been patched in version 1.8.211.
Title FreeScout: Host Header Injection Leading to External Resource Loading and Open Redirect in FreeScout
Weaknesses CWE-20
CWE-601
CWE-829
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T13:36:09.314Z

Reserved: 2026-03-27T18:18:14.894Z

Link: CVE-2026-34442

cve-icon Vulnrichment

Updated: 2026-04-01T13:35:55.696Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T22:16:19.333

Modified: 2026-04-01T19:49:03.010

Link: CVE-2026-34442

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:10:24Z

Weaknesses