Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-40497— FreeScout Vulnerable to CSS Injection via Stored Style Tag in Mailbox Signature (CSRF Token Exfiltration)

CVSS 8.1 · High EPSS 0.04% · P11
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-40497

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
FreeScout Vulnerable to CSS Injection via Stored Style Tag in Mailbox Signature (CSRF Token Exfiltration)
Source: NVD (National Vulnerability Database)
Vulnerability Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`, `<iframe>`, `<object>` but does NOT strip `<style>` tags. The mailbox signature field is saved via POST /mailbox/settings/{id} and later rendered unescaped via `{!! $conversation->getSignatureProcessed([], true) !!}` in conversation views. CSP allows `style-src * 'self' 'unsafe-inline'`, so injected inline styles execute freely. An attacker with access to mailbox settings (admin or agent with mailbox permission) can inject CSS attribute selectors to exfiltrate the CSRF token of any agent/admin who views a conversation in that mailbox. With the CSRF token, the attacker can perform any state-changing action as the victim (create admin accounts, change email/password, etc.) — privilege escalation from agent to admin. This is the result of an incomplete fix of GHSA-jqjf-f566-485j. That advisory reported XSS via mailbox signature. The fix applied `Helper::stripDangerousTags()` to the signature before saving. However, `stripDangerousTags()` only removes `script`, `form`, `iframe`, and `object` tags — it does NOT strip `<style>` tags, leaving CSS injection possible. Version 1.8.213 contains an updated fix.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
FreeScout 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
FreeScout是FreeScout公司的一个使用 PHP(Laravel 框架)构建的超轻量级且功能强大的免费开源帮助台和共享收件箱。 FreeScout 1.8.213之前版本存在安全漏洞,该漏洞源于Helper::stripDangerousTags函数未移除style标签,可能导致具有邮箱设置访问权限的攻击者注入CSS属性选择器窃取CSRF令牌,进而执行权限提升。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
freescout-help-deskfreescout < 1.8.213 -

II. Public POCs for CVE-2026-40497

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-40497

登录查看更多情报信息。

Same Patch Batch · freescout-help-desk · 2026-04-21 · 20 CVEs total

CVE-2026-411939.1 CRITICALFreeScout has Zip Slip path traversal in module installation that allows arbitrary file wr
CVE-2026-405699.0 CRITICALFreeScout's Mass Assignment in Mailbox Connection Settings Enables Silent Email Exfiltrati
CVE-2026-405688.5 HIGHFreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization
CVE-2026-405897.6 HIGHFreeScout has Customer Edit Cross-Mailbox Email Takeover
CVE-2026-411907.1 HIGHFreeScout has assigned-only visibility bypass via save_draft that allows hidden conversati
CVE-2026-411897.1 HIGHFreeScout has assigned-only visibility bypass that allows editing hidden customer-authored
CVE-2026-411917.1 HIGHFreeScout's signature only mailbox permission allows unauthorized mailbox chat setting cha
CVE-2026-411927.1 HIGHFreeScout's client-controlled attachment IDs allow deletion of existing conversation attac
CVE-2026-405917.1 HIGHFreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hid
CVE-2026-405656.1 MEDIUMFreeScout has Stored XSS / CSS Injection via linkify() — Unescaped URL in Anchor href
CVE-2026-405925.9 MEDIUMFreeScout's cross-user undo reply allows mailbox peers to recall another agent's outbound
CVE-2026-405675.8 MEDIUMFreeScout has HTML Injection in Outgoing Emails via Unsanitized Customer Name in Signature
CVE-2026-411945.4 MEDIUMFreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable
CVE-2026-411834.3 MEDIUMFreeScout allows non-folder conversation queries to disclose assigned-only hidden conversa
CVE-2026-405904.3 MEDIUMFreeScout's Customer AJAX Create Modifies Hidden Existing Customer
CVE-2026-405664.1 MEDIUMFreeScout vulnerable to SSRF via IMAP/SMTP Connection Test Endpoints
CVE-2026-40570FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to A
CVE-2026-40496FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Downlo
CVE-2026-40498FreeScout has Authentication Bypass and Information Disclosure in SystemController via /sy

IV. Related Vulnerabilities

Same product: freescout
Same vendor: freescout-help-desk
Same weakness: CWE-79

V. Comments for CVE-2026-40497

No comments yet

Leave a comment