What is CVE-2026-40497 — CSRF in FreeScout?

CVE-2026-40497 is a Cross-Site Request Forgery (CSRF) vulnerability in FreeScout versions 1.0.0 through 1.8.212, allowing attackers to inject malicious CSS and potentially execute XSS.

Am I affected by CVE-2026-40497 in FreeScout?

Yes, if you are running FreeScout versions 1.0.0 through 1.8.212, you are affected by this vulnerability.

How do I fix CVE-2026-40497 in FreeScout?

Upgrade FreeScout to version 1.8.213 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.

Is CVE-2026-40497 being actively exploited?

No active exploitation has been confirmed, but the vulnerability's nature suggests a potential for exploitation.

Where can I find the official FreeScout advisory for CVE-2026-40497?

Refer to the FreeScout security advisory for details: [https://freescout.com/security/](https://freescout.com/security/)

CVE-2026-40497 — Vulnerability Details

NEXTGUARD

Scanner gratuitement

CVE-2026-40497 — Vulnerability Details | NextGuard

Étapes de Détectiontraduction en cours…

• php: Examine FreeScout logs for POST requests to /mailbox/settings/{id} containing <style> tags with unusual or obfuscated content. Use grep to search for patterns like style=javascript: or style=expression.

grep 'style=javascript:' /var/log/freescout/access.log

• generic web: Monitor HTTP POST requests to /mailbox/settings/{id} for suspicious CSS content in the request body. Use a WAF or intrusion detection system to flag such requests. • generic web: Check mailbox signatures for unusual CSS patterns. Inspect the HTML source code of conversation views for injected <style> tags.

FreeScout Vulnérable à l'Injection CSS via une Balise Style Stockée dans la Signature du Boîte aux Lettres (Exfiltration de Token CSRF)

Impact et Scénarios d'Attaque

Contexte d'Exploitation

Qui Est à Risquetraduction en cours…

Étapes de Détectiontraduction en cours…

Chronologie de l'Attaque

Renseignement sur les Menaces

Logiciel Affecté

Classification de Faiblesse (CWE)

Chronologie

Mitigation et Contournements

Comment corriger

Newsletter Sécurité CVE

Questions fréquentestraduction en cours…

What is CVE-2026-40497 — CSRF in FreeScout?

Am I affected by CVE-2026-40497 in FreeScout?

How do I fix CVE-2026-40497 in FreeScout?

Is CVE-2026-40497 being actively exploited?

Where can I find the official FreeScout advisory for CVE-2026-40497?

Ton projet est-il affecté ?