cbcvebase.
CVE-2026-41194
published 2026-04-21

CVE-2026-41194: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET…

PriorityP424medium5.4CVSS 3.1
AVNACLPRNUIRSUCNILAL
EPSS
0.12%
2.1th percentile
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as `GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider}`. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF token is required and the action can be triggered cross-site against a logged-in mailbox admin. Version 1.8.215 fixes the vulnerability.

Affected

1 ranges
VendorProductVersion rangeFixed in
freescout-help-deskfreescout< 1.8.2151.8.215
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.