Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, Helper::sanitizeRemoteUrl() in app/Misc/Helper.php follows HTTP redirects via curlGetLastRedirectedUrl() but then re-validates the original URL instead of the final redirect destination. An attacker who can supply any URL that passes the initial host check can redirect FreeScout to internal HTTP services (cloud metadata, internal APIs, RFC1918 ranges) that would normally be blocked. This issue has been patched in version 1.8.217.
Published: 2026-05-07
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

FreeScout, a PHP‑based help‑desk solution, contains a Server‑Side Request Forgery flaw in Helper::sanitizeRemoteUrl. The function follows HTTP redirects but mistakenly validates only the original URL, ignoring the final redirection target. An attacker who can supply a URL that passes the initial host check can cause FreeScout to request internal HTTP endpoints such as cloud‑metadata services, internal APIs, or private IP ranges, thereby exposing sensitive internal resources.

Affected Systems

The issue affects FreeScout, specifically all releases prior to version 1.8.217. Updating to 1.8.217 or later removes the flaw, as the redirect target is now properly validated.

Risk and Exploitability

The CVSS score of 7.7 indicates a high‑risk condition, and the vulnerability is classified as CWE‑918. Exploitation can occur from any interface that accepts external URLs processed by sanitizeRemoteUrl; an attacker need only craft a URL that passes host validation and leads to a redirect inside the application. Because the exploit allows internal service discovery and potential data leakage, the threat level is significant despite the absence of a current EPSS score or KEV listing. The safest mitigation is to apply the vendor‑supplied patch, but temporary containment can be achieved through isolation of outbound traffic.

Generated by OpenCVE AI on May 7, 2026 at 20:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update FreeScout to version 1.8.217 or newer to apply the patch that validates the final redirect target.
  • If an immediate upgrade is not feasible, restrict the set of allowed URLs or block internal IP ranges from being requested by the application, and monitor for unauthorized outbound requests.
  • Audit the application's configuration to ensure it does not allow arbitrary external URLs, and consider disabling or sanitizing any functionality that fetches external content.

Generated by OpenCVE AI on May 7, 2026 at 20:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 07 May 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 07 May 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Thu, 07 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, Helper::sanitizeRemoteUrl() in app/Misc/Helper.php follows HTTP redirects via curlGetLastRedirectedUrl() but then re-validates the original URL instead of the final redirect destination. An attacker who can supply any URL that passes the initial host check can redirect FreeScout to internal HTTP services (cloud metadata, internal APIs, RFC1918 ranges) that would normally be blocked. This issue has been patched in version 1.8.217.
Title FreeScout vulnerable to SSRF via Helper::sanitizeRemoteUrl: redirect destination not re-validated, allowing internal HTTP / cloud-metadata access
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T20:15:18.618Z

Reserved: 2026-04-22T15:11:54.672Z

Link: CVE-2026-41905

cve-icon Vulnrichment

Updated: 2026-05-07T20:14:25.934Z

cve-icon NVD

Status : Deferred

Published: 2026-05-07T19:16:01.220

Modified: 2026-05-07T21:16:29.870

Link: CVE-2026-41905

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-07T21:00:13Z

Weaknesses