TROYANOSYVIRUS
Retour aux CVEs

CVE-2026-32754

CRITICAL
9.3

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered unescaped in outgoing email notifications using Blade's raw output syntax {!! $thread->body !!}. An unauthenticated attacker can exploit this vulnerability by simply sending an email, and when opened by any subscribed agent or admin as part of their normal workflow, enabling universal HTML injection (phishing, tracking) and, in vulnerable email clients, JavaScript execution (session hijacking, credential theft, account takeover) affecting all recipients simultaneously. This issue has been fixed in version 1.8.209.

Details CVE

Score CVSS v3.19.3
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurREQUIRED
Publie3/19/2026
Derniere modification3/23/2026
Sourcenvd
Observations honeypot0

Produits affectes

freescout:freescout

Faiblesses (CWE)

CWE-79CWE-116

References

https://github.com/freescout-help-desk/freescout/commit/3329379db38a86cf7069b0709061b95a7d38985b(security-advisories@github.com)
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209(security-advisories@github.com)
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-56h2-5556-r6mg(security-advisories@github.com)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.