FreeScout ist ein kostenloses Helpdesk- und Shared-Inbox-System, das mit PHP's Laravel Framework erstellt wurde. Versionen 1.8.208 und darunter sind anfällig für Stored Cross-Site Scripting (XSS) über FreeScouts E-Mail-Benachrichtigungs-Vorlagen. Eingehende E-Mail-Texte werden in der Datenbank ohne Bereinigung gespeichert und in ausgehenden E-Mail-Benachrichtigungen unescaped unter Verwendung von Blades Raw-Output-Syntax {!! $thread->body !!} gerendert. Ein nicht authentifizierter Angreifer kann diese Schwachstelle ausnutzen, indem er einfach eine E-Mail sendet, und wenn diese von einem

The vulnerability lies in FreeScout's email notification templates. Incoming email bodies are stored in the database without proper sanitization. When these email bodies are later rendered in outgoing notifications, the application uses Blade's raw output syntax ({!! $thread->body !!}), which bypasses any HTML escaping. This means an attacker can inject arbitrary HTML and JavaScript code into the email body. An attacker only needs to send a specially crafted email to trigger the vulnerability. When an agent or administrator opens the email, the malicious script will execute in their browser context, potentially stealing cookies, redirecting them to phishing sites, or performing actions on their behalf. The blast radius extends to all users who receive notifications containing the injected content.

Organizations using FreeScout as a help desk or shared inbox solution are at risk, particularly those running versions 1.8.208 or earlier. Shared hosting environments where FreeScout is installed are especially vulnerable, as a compromise of one tenant could potentially impact others. Any organization handling sensitive customer data through FreeScout should prioritize patching.

• linux / server:

journalctl -u freescout | grep -i "html injection"

• generic web:

curl -I https://your-freescout-instance.com/emails/ | grep -i "content-type: text/html"

• wordpress / composer / npm: (Not applicable as FreeScout is not a WordPress plugin) • database (mysql, redis, mongodb, postgresql): (Not applicable, vulnerability is in the application layer) • windows / supply-chain: (Not applicable, FreeScout is typically deployed on Linux servers)

1. 2026-03-19Disclosure

   disclosure

1. Reserviert2026-03-13
2. Veröffentlicht2026-03-19
3. Geändert2026-03-23
4. EPSS aktualisiert2026-03-27

The primary mitigation is to immediately upgrade FreeScout to version 1.8.209 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, a temporary workaround involves sanitizing all incoming email bodies before they are stored in the database. This can be achieved using Laravel's built-in sanitization functions or a third-party HTML purifier library. Additionally, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious HTML tags or JavaScript code in email bodies. Regularly review and audit email notification templates to ensure proper escaping is implemented.