प्लेटफ़ॉर्म
php
घटक
freescout-help-desk
में ठीक किया गया
1.8.215
CVE-2026-40589 affects FreeScout help desk systems prior to version 1.8.214. This vulnerability allows a low-privileged agent to manipulate customer profiles and email addresses, leading to potential data exposure and email spoofing. The vulnerability was published on April 21, 2026, and a patch is available in version 1.8.214.
An attacker exploiting this vulnerability could impersonate a customer by associating an email address with a visible customer profile while it originally belonged to a hidden one. This allows the attacker to view the hidden customer's profile information, including their name and profile URL, which could be used for social engineering or further attacks. Furthermore, the attacker can rebind conversations associated with the email address to the visible customer, potentially gaining access to sensitive information or manipulating communication history. The blast radius extends to all customers whose email addresses are managed within the FreeScout system.
The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of exploitation. Public proof-of-concept (POC) code is not currently available. Given the nature of the vulnerability (email spoofing and data exposure), it is reasonable to expect that it could be targeted by malicious actors, especially if a readily exploitable POC is released. Refer to the official FreeScout advisory for further details.
एक्सप्लॉइट स्थिति
EPSS
0.04% (11% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-40589 is to immediately upgrade FreeScout to version 1.8.214 or later. If upgrading is not immediately feasible, consider implementing strict access controls to limit the privileges of agents within the FreeScout system. Review agent activity logs for any suspicious modifications to customer profiles or email addresses. While a WAF cannot directly prevent this vulnerability, it could be configured to flag unusual patterns of email address modifications. After upgrading, confirm the fix by attempting to create a new customer and associating an existing email address with them; the operation should fail.
Actualice FreeScout a la versión 1.8.214 o posterior para mitigar la vulnerabilidad. Esta actualización corrige un problema que permite a un agente de bajo privilegio editar un cliente visible y agregar una dirección de correo electrónico perteneciente a otro cliente oculto, lo que podría resultar en la toma de control de la cuenta de correo electrónico.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-40589 is a HIGH severity vulnerability in FreeScout versions 1.0.0 through 1.8.213 that allows a low-privileged agent to link email addresses to different customer profiles, potentially enabling email spoofing and data exposure.
You are affected if you are running FreeScout version 1.0.0 through 1.8.213. Verify your FreeScout version and upgrade immediately if vulnerable.
Upgrade FreeScout to version 1.8.214 or later. If immediate upgrade is not possible, implement strict access controls for agents and monitor activity logs.
There is no current evidence of active exploitation, but the vulnerability's nature suggests it could be targeted. Monitor security advisories and threat intelligence feeds.
Refer to the official FreeScout security advisory, which can be found on the FreeScout website or through their security mailing list. (Link to advisory would be here if available).
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।