Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store an XSS payload in the mailbox auto-reply message. The payload is rendered unescaped in the auto-reply email sent to every customer who contacts the mailbox. Email clients do not enforce CSP, so the payload executes in the customer's webmail / mail-client context. This issue has been patched in version 1.8.217.
Published: 2026-05-07
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FreeScout allows a user with updateAutoReply permission to embed a malicious script in a mailbox auto‑reply message. The script is stored unescaped and later injected into every auto‑reply email sent to customers. Email clients do not enforce CSP, so the payload executes in the recipient’s browser or mail‑client context, enabling credential theft, defacement, or other client‑side attacks. It is inferred that the attacker must first obtain or compromise a user with updateAutoReply rights in the system.

Affected Systems

The vulnerability exists in versions of FreeScout built on Laravel before 1.8.217. Products affected are those from the freescout‑help‑desk vendor that run the free‑scout application; any system relying on the auto‑reply feature in those releases is vulnerable until patched.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely internal, requiring a privileged user to supply the payload, after which the malicious code is delivered to any customer who contacts the mailbox. The lack of CSP in typical email clients makes the impact wide‑scale for exposed users, and the payload could be used for phishing, data exfiltration, or session hijacking.

Generated by OpenCVE AI on May 7, 2026 at 20:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade FreeScout to version 1.8.217 or later
  • Restrict the updateAutoReply permission to trusted, minimally‑privileged users
  • Audit and monitor outbound emails from the affected mailbox for unexpected XSS content

Generated by OpenCVE AI on May 7, 2026 at 20:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Thu, 07 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store an XSS payload in the mailbox auto-reply message. The payload is rendered unescaped in the auto-reply email sent to every customer who contacts the mailbox. Email clients do not enforce CSP, so the payload executes in the customer's webmail / mail-client context. This issue has been patched in version 1.8.217.
Title FreeScout Stored XSS vulnerability in mailbox auto-reply: payload reaches every customer's email client (no CSP), bypassing strip_tags validator with mixed text+HTML content
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T19:16:53.481Z

Reserved: 2026-04-22T15:11:54.672Z

Link: CVE-2026-41904

cve-icon Vulnrichment

Updated: 2026-05-07T19:16:22.263Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T19:16:01.087

Modified: 2026-05-07T20:16:43.753

Link: CVE-2026-41904

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T20:30:15Z

Weaknesses