Freescout-Help-Desk Freescout vulnerabilities
62 known vulnerabilities affecting freescout-help-desk/freescout.
Total CVEs
62
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH24MEDIUM28LOW2
Vulnerabilities
Page 2 of 4
CVE-2026-39384P3HIGHCVSS 7.6fixed in 1.8.2122026-04-07
CVE-2026-39384 [HIGH] CWE-639 CVE-2026-39384: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212,
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility parameter into account when merging customers. This vulnerability is fixed in 1.8.212.
nvd
CVE-2026-40589P3HIGHCVSS 7.6fixed in 1.8.2142026-04-21
CVE-2026-40589 [HIGH] CWE-639 CVE-2026-40589: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privil
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an email address already owned by a hidden customer in another mailbox. The server discloses the hidden customer’s name and profile URL in the success flash, reassigns the hidden email to the visible custom
nvd
CVE-2025-48390P3HIGHCVSS 7.2fixed in 1.8.1782025-05-29
CVE-2025-48390 [HIGH] CWE-94 CVE-2025-48390: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to code injection due to insufficient validation of user input in the php_path parameter. The backticks characters are not removed, as well as tabulation is not removed. When checking user input, the file_exists function is also called to che
nvd
CVE-2026-47123P3HIGHCVSS 7.5fixed in 1.8.2202026-05-29
CVE-2026-47123 [HIGH] CWE-290 CVE-2026-47123: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220,
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails command has two code paths for identifying agent (user) replies based on In-Reply-To / References headers. The notification reply path (notify-{thread_id}-{user_id}-...) extracts thread_id and us
nvd
CVE-2026-35584P3MEDIUMCVSS 6.5fixed in 1.8.2122026-04-07
CVE-2026-35584 [MEDIUM] CWE-306 CVE-2026-35584: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212,
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, the endpoint GET /thread/read/{conversation_id}/{thread_id} does not require authentication and does not validate whether the given thread_id belongs to the given conversation_id. This allows any unauthenticated attacker to mark any thread as read by
nvd
CVE-2026-40497P3HIGHCVSS 8.1fixed in 1.8.2132026-04-21
CVE-2026-40497 [HIGH] CWE-79 CVE-2026-40497: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes ``, ``, ``, `` but does NOT strip `` tags. The mailbox signature field is saved via POST /mailbox/settings/{id} and later rendered unescaped via `{!! $conversation->getSignatureProcessed([], true) !!}` in conversatio
nvd
CVE-2026-41906P3HIGHCVSS 7.1fixed in 1.8.2142026-05-07
CVE-2026-41906 [HIGH] CWE-639 CVE-2026-41906: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-scope customers through the mailbox-filtered search endpoint, but the backend conversation_change_customer action accepts any supplied customer_email. A low-privileged agent can forge a request an
nvd
CVE-2026-41191P3HIGHCVSS 7.1fixed in 1.8.2152026-04-21
CVE-2026-41191 [HIGH] CWE-863 CVE-2026-41191: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesCo
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesController::updateSave()` persists `chat_start_new` outside the allowed-field filter. A user with only the mailbox `sig` permission sees only the signature field in the UI, but can still change the hidden mailbox-wide chat setting via direct POST. Version
nvd
CVE-2026-40591P3HIGHCVSS 7.1fixed in 1.8.2142026-04-21
CVE-2026-40591 [HIGH] CWE-639 CVE-2026-40591: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-co
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone` values and resolves the target customer in the backend without enforcing mailbox-scoped customer visibility. As a result, a low-privileged agent who can
nvd
CVE-2026-41190P3HIGHCVSS 7.1fixed in 1.8.2152026-04-21
CVE-2026-41190 [HIGH] CWE-863 CVE-2026-41190: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when `APP_SH
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. The `save_draft` AJAX path is weaker. A direct POST can create a draft inside a conversation that is hidden in the
nvd
CVE-2026-41904P3HIGHCVSS 7.6fixed in 1.8.2172026-05-07
CVE-2026-41904 [HIGH] CWE-79 CVE-2026-41904: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store an XSS payload in the mailbox auto-reply message. The payload is rendered unescaped in the auto-reply email sent to every customer who contacts the mailbox. Email clients do not enforce CSP, so the
nvd
CVE-2026-41189P3HIGHCVSS 7.1fixed in 1.8.2152026-04-21
CVE-2026-41189 [HIGH] CWE-863 CVE-2026-41189: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thr
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through `ThreadPolicy::edit()`, which checks mailbox access but does not apply the assigned-only restriction from `ConversationPolicy`. A user who cannot view a conversation can still load and edit customer-authored threads ins
nvd
CVE-2026-41192P3HIGHCVSS 7.1fixed in 1.8.2152026-04-21
CVE-2026-41192 [HIGH] CWE-862 CVE-2026-41192: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply an
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in `attachments_all[]` but omitted from retained lists are decrypted and passed directly to `Attachment::deleteByIds()`. Because `load_attachments` returns encrypted IDs for a
nvd
CVE-2025-48388P3MEDIUMCVSS 6.5fixed in 1.8.1782025-05-29
CVE-2025-48388 [MEDIUM] CWE-93 CVE-2025-48388: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, the applicat
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, the application performs insufficient validation of user-supplied data, which is used as arguments to string formatting functions. As a result, an attacker can pass a string containing special symbols (\r, \n, \t)to the application. This issue has been patched in
nvd
CVE-2025-48880P4MEDIUMCVSS 6.6fixed in 1.8.1812025-05-30
CVE-2025-48880 [MEDIUM] CWE-362 CVE-2025-48880: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, when an admi
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, when an administrative account is a deleting a user, there is the the possibility of a race condition occurring. This issue has been patched in version 1.8.181.
nvd
CVE-2026-40567P4MEDIUMCVSS 5.8fixed in 1.8.2132026-04-21
CVE-2026-40567 [MEDIUM] CWE-116 CVE-2026-40567: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthent
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and rendered unescaped into outgoing reply emails via t
nvd
CVE-2026-40592P4MEDIUMCVSS 5.9fixed in 1.8.2142026-04-21
CVE-2026-40592 [MEDIUM] CWE-862 CVE-2026-40592: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-sen
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view the parent conversation. It does not verify that the current user created the reply being undone. In a shared mailbox, one agent can therefore recall anot
nvd
CVE-2026-40570P4MEDIUMCVSS 5.7fixed in 1.8.2132026-04-21
CVE-2026-40570 [MEDIUM] CWE-639 CVE-2026-40570: FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_cu
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the `load_customer_info` action in `POST /conversation/ajax` returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retrieve all customer PII. Version 1.8.213 fixes the is
nvd
CVE-2026-34442P4MEDIUMCVSS 6.1fixed in 1.8.2112026-03-31
CVE-2026-34442 [MEDIUM] CWE-20 CVE-2026-34442: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version (http://localhost:8080/system/status) allows an attacker to inject an arbitrary domain into generated absolute URLs. This leads to External Resource Loading and Open Redirect behavior. When the appl
nvd
CVE-2026-45294P4MEDIUMCVSS 5.3fixed in 1.8.2192026-05-29
CVE-2026-45294 [MEDIUM] CWE-203 CVE-2026-45294: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219,
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerabi
nvd