Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, checkIpByMask() in app/Misc/Helper.php checks whether the input IP contains a / character. Plain IP addresses never contain /, so the function always returns false without checking any CIDR ranges. The entire 10.0.0.0/8 and 172.16.0.0/12 private ranges are unprotected. This issue has been patched in version 1.8.211.
Published: 2026-03-31
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SSRF protection bypass enabling internal network access
Action: Upgrade
AI Analysis

Impact

This vulnerability is due to a flaw in the IP validation function checkIpByMask(). The function incorrectly rejects any IP containing a slash, causing the function to return false for plain IP addresses. As a result, private address ranges 10.0.0.0/8 and 172.16.0.0/12 bypass SSRF protection. An attacker can send requests that reach internal services via the application, potentially gaining access to internal resources or performing reconnaissance, impacting confidentiality and integrity of internal assets.

Affected Systems

This issue affects the FreeScout help desk application built on PHP's Laravel framework. All releases prior to 1.8.211 are vulnerable. The affected product is freescout-help-desk:freescout. Users running any version earlier than 1.8.211 are exposed to the SSRF bypass.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, but the low EPSS of <1% suggests that exploitation is currently uncommon. The vulnerability is not listed in CISA KEV. Exploitation requires the attacker to be able to trigger the SSRF mechanism within the application, then supply a plain IP address that falls within a private network range; the buggy check allows such addresses to bypass the intended filter.

Generated by OpenCVE AI on April 13, 2026 at 16:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Freescout to version 1.8.211 or later to apply the patch that fixes the CIDR check.
  • Verify that SSRF controls function correctly by testing with private IP addresses after the update.
  • If an upgrade is not immediately possible, restrict outgoing requests from the FreeScout installation to external networks only, preventing private IP ranges from being accessed.

Generated by OpenCVE AI on April 13, 2026 at 16:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, checkIpByMask() in app/Misc/Helper.php checks whether the input IP contains a / character. Plain IP addresses never contain /, so the function always returns false without checking any CIDR ranges. The entire 10.0.0.0/8 and 172.16.0.0/12 private ranges are unprotected. This issue has been patched in version 1.8.211.
Title FreeScout: SSRF protection bypass via broken CIDR check in checkIpByMask()
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:54:55.589Z

Reserved: 2026-03-27T18:18:14.894Z

Link: CVE-2026-34443

cve-icon Vulnrichment

Updated: 2026-04-01T18:54:48.342Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T22:16:19.507

Modified: 2026-04-13T15:14:59.970

Link: CVE-2026-34443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:12Z

Weaknesses