Platform
laravel
Component
laravel
Fixed in
1.8.210
1.8.210
CVE-2026-32754 describes a critical Stored Cross-Site Scripting (XSS) vulnerability affecting FreeScout, a PHP Laravel-based help desk and shared inbox application. This vulnerability allows an unauthenticated attacker to inject malicious HTML into email notifications, potentially leading to account compromise and further exploitation. The vulnerability impacts versions of FreeScout up to and including 1.8.208; a patch is available in version 1.8.209.
The impact of this XSS vulnerability is significant due to its ease of exploitation and potential for widespread impact. An attacker can simply send a crafted email to trigger the vulnerability. When an agent or administrator opens the email, the malicious HTML payload will be executed in their browser context. This allows the attacker to steal session cookies, redirect users to phishing sites, deface the FreeScout interface, or even execute arbitrary JavaScript code within the user's session. Given FreeScout's function as a shared inbox and help desk, this vulnerability could compromise the accounts of multiple users and potentially expose sensitive customer data. The raw output syntax {!! $thread->body !!} in Blade templates is the direct cause, enabling unrestricted HTML injection.
CVE-2026-32754 was publicly disclosed on 2026-03-19. No known active exploitation campaigns have been reported at this time. The vulnerability is not currently listed on CISA KEV. Public proof-of-concept code is likely to emerge given the ease of exploitation and the severity of the vulnerability.
Exploit Status
EPSS
0.06% (20% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32754 is to immediately upgrade FreeScout to version 1.8.209 or later, which contains the necessary fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious HTML tags and attributes within incoming email bodies. Additionally, review and sanitize all user-supplied data before storing it in the database. Monitor FreeScout logs for suspicious activity, particularly unusual HTML content in email bodies. While a direct detection signature is difficult, look for unusual HTML tags or Javascript code within email content.
Update FreeScout to version 1.8.209 or higher. This version fixes the Stored Cross-Site Scripting (XSS) vulnerability by properly escaping email content in notification templates. The update will prevent the execution of malicious JavaScript code in agent and administrator email clients.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32754 is a critical Stored Cross-Site Scripting (XSS) vulnerability in FreeScout versions 1.8.208 and earlier. It allows attackers to inject malicious HTML into email notifications.
Yes, if you are using FreeScout versions 1.8.208 or earlier, you are vulnerable to this XSS attack.
Upgrade FreeScout to version 1.8.209 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
No active exploitation campaigns have been reported, but the vulnerability's ease of exploitation suggests it may be targeted soon.
Refer to the FreeScout security advisory on their official website or GitHub repository for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your composer.lock file and we'll tell you instantly if you're affected.