FreeScout has a flaw that allows an attacker to inject arbitrary HTML into outgoing support emails. The vulnerability arises because the system stores the customer’s full name without sanitization and later renders it unescaped inside the signature variable {%customer.fullName%}. By sending an email with a crafted From display name, an attacker can embed phishing links, tracking pixels, or other malicious content that appears as part of legitimate outgoing emails. The weakness is a classic example of improper input handling (CWE-116), and its use in email signatures enables credential‑stealing and social‑engineering attacks against recipients.

The issue affects the freescout-help-desk:freescout product, specifically all installations running versions older than 1.8.213. Versions 1.8.213 and later include a patch that sanitizes the customer name before rendering it in signatures, eliminating the injection vector. Users running the free self‑hosted help desk and shared mailbox solution should verify that they are on a supported release.

The CVSS score of 5.8 indicates a moderate risk, combining potential abuse (phishing) with limited impact on system integrity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by simply sending a spam or phishing email from any external address; no authentication is required, meaning the vector is easily achievable. Because the payload is delivered via Office or webmail clients that interpret HTML in messages, the impact can be immediate and widespread if the organization’s support team forwards the compromised emails to customers.