Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (") in the URL. HTMLPurifier (called first via getCleanBody()) preserves literal " characters in text nodes. linkify() then wraps URLs including those " chars inside an unescaped href="..." attribute, breaking out of the href and injecting arbitrary HTML attributes. Version 1.8.213 fixes the issue.
Published: 2026-04-21
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: Stored XSS / CSS Injection
Action: Immediate Patch
AI Analysis

Impact

This vulnerability arises when FreeScout converts plain‑text URLs in email bodies into anchor tags without escaping quotation marks. The resulting href attribute can be broken out of, permitting attackers to inject arbitrary HTML attributes or script code. The flaw is a classic stored cross‑site scripting weakness.

Affected Systems

The issue affects the FreeScout Help Desk application, specifically any installation using a version older than 1.8.213. All users of those versions who receive or render email content are potentially affected.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity. No EPSS data is currently available and the vulnerability is not listed in the CISA KEV catalog. An attacker would need the ability to inject content that passes through the linkify() function, such as through an email message or a user‑submitted comment. Once the crafted URL is rendered, the injected HTML can execute script or alter style, leading to potential data theft or session hijacking if the victim interacts with the affected page content.

Generated by OpenCVE AI on April 22, 2026 at 03:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FreeScout installation to version 1.8.213 or later, which applies the necessary escaping to linkify() output.
  • Download the update from the project's GitHub releases or apply it using an official package manager.
  • If an immediate upgrade is not feasible, mitigate by sanitizing URLs before rendering—escape or remove quotation marks in the href attribute.
  • Alternatively, disable the automatic linkification feature until the patch can be applied.

Generated by OpenCVE AI on April 22, 2026 at 03:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 21 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Tue, 21 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
Description FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (") in the URL. HTMLPurifier (called first via getCleanBody()) preserves literal " characters in text nodes. linkify() then wraps URLs including those " chars inside an unescaped href="..." attribute, breaking out of the href and injecting arbitrary HTML attributes. Version 1.8.213 fixes the issue.
Title FreeScout has Stored XSS / CSS Injection via linkify() — Unescaped URL in Anchor href
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T19:48:40.654Z

Reserved: 2026-04-14T13:24:29.473Z

Link: CVE-2026-40565

cve-icon Vulnrichment

Updated: 2026-04-21T17:41:10.975Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-21T16:16:20.390

Modified: 2026-04-21T20:16:59.407

Link: CVE-2026-40565

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:15:06Z

Weaknesses