Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

freescout — Vulnerabilities & Security Advisories 70

All 70 CVE vulnerabilities found in freescout, with AI-generated Chinese analysis, references, and POCs.

This page catalogs known security vulnerabilities and weaknesses associated with the freescout product, focusing on software flaws and configuration issues. It aggregates a wide range of security issues, including remote code execution, cross-site scripting, SQL injection, and information disclosure flaws that have been publicly disclosed or identified through independent research. The dataset covers vulnerability reports spanning from 2018 to the present, ensuring a comprehensive historical view of the product's security landscape. By consulting this resource, users can effectively track vendor advisories and official patches released by the freescout development team to mitigate risks. Additionally, security professionals and administrators can utilize this page to understand specific weakness classes relevant to open-source help desk software, analyzing common attack vectors and remediation strategies. The page also allows for a detailed look up of the product's vulnerability history, enabling teams to assess past security incidents and evaluate the long-term stability of the software. This aggregated view serves as a centralized reference point for understanding the security posture of freescout over time. Users can compare current risk levels against historical trends and identify recurring patterns in reported defects. The information presented is sourced from official security announcements, public databases, and verified third-party reports, ensuring accuracy and reliability for decision-making purposes.

Vendor: freescout-helpdesk

CVE IDTitleCVSSSeverityPublished
CVE-2026-45294 FreeScout: User Account Enumeration via Password Reset Response Differentiation CWE-203 5.3 Medium2026-05-29
CVE-2026-47123 FreeScout: Agent Impersonation via Missing HMAC Verification on Notification Reply Message-ID Path CWE-290 7.5 High2026-05-29
CVE-2026-48810 FreeScout: Thread Edit Authorization Bypass via Missing Mailbox Check CWE-285 4.3 Medium2026-05-29
CVE-2026-48811 FreeScout: Thread Deletion Bypasses Mailbox Access Revocation CWE-862 4.3 Medium2026-05-29
CVE-2026-41906 FreeScout: Conversation Change-Customer Cross-Mailbox Authorization Bypass CWE-639 7.1 High2026-05-07
CVE-2026-41905 FreeScout vulnerable to SSRF via Helper::sanitizeRemoteUrl: redirect destination not re-validated, allowing internal HTTP / cloud-metadata access CWE-918 7.7 High2026-05-07
CVE-2026-41904 FreeScout Stored XSS vulnerability in mailbox auto-reply: payload reaches every customer's email client (no CSP), bypassing strip_tags validator with mixed text+HTML content CWE-79 7.6 High2026-05-07
CVE-2026-41902 FreeScout's user invitation hash never expires: permanent unauthenticated account takeover if invite link leaks CWE-613 9.1 Critical2026-05-07
CVE-2026-41903 FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifying any user's notification subscriptions (incomplete fix of CVE-2025-48472) CWE-863 5.4 Medium2026-05-07
CVE-2026-41194 FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable CWE-352 5.4 Medium2026-04-21
CVE-2026-41193 FreeScout has Zip Slip path traversal in module installation that allows arbitrary file write leading to RCE CWE-22 9.1 Critical2026-04-21
CVE-2026-41192 FreeScout's client-controlled attachment IDs allow deletion of existing conversation attachments CWE-862 7.1 High2026-04-21
CVE-2026-41191 FreeScout's signature only mailbox permission allows unauthorized mailbox chat setting changes CWE-863 7.1 High2026-04-21
CVE-2026-41190 FreeScout has assigned-only visibility bypass via save_draft that allows hidden conversation draft injection CWE-863 7.1 High2026-04-21
CVE-2026-41189 FreeScout has assigned-only visibility bypass that allows editing hidden customer-authored threads CWE-863 7.1 High2026-04-21
CVE-2026-41183 FreeScout allows non-folder conversation queries to disclose assigned-only hidden conversations CWE-200 4.3 Medium2026-04-21
CVE-2026-40592 FreeScout's cross-user undo reply allows mailbox peers to recall another agent's outbound reply CWE-862 5.9 Medium2026-04-21
CVE-2026-40591 FreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hidden Customer Modification CWE-639 7.1 High2026-04-21
CVE-2026-40590 FreeScout's Customer AJAX Create Modifies Hidden Existing Customer CWE-639 4.3 Medium2026-04-21
CVE-2026-40589 FreeScout has Customer Edit Cross-Mailbox Email Takeover CWE-639 7.6 High2026-04-21
CVE-2026-40570 FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII CWE-639 4.3AIMediumAI2026-04-21
CVE-2026-40569 FreeScout's Mass Assignment in Mailbox Connection Settings Enables Silent Email Exfiltration CWE-284 9.0 Critical2026-04-21
CVE-2026-40568 FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization CWE-79 8.5 High2026-04-21
CVE-2026-40567 FreeScout has HTML Injection in Outgoing Emails via Unsanitized Customer Name in Signature Variables CWE-116 5.8 Medium2026-04-21
CVE-2026-40566 FreeScout vulnerable to SSRF via IMAP/SMTP Connection Test Endpoints CWE-918 4.1 Medium2026-04-21
CVE-2026-40565 FreeScout has Stored XSS / CSS Injection via linkify() — Unescaped URL in Anchor href CWE-79 6.1 Medium2026-04-21
CVE-2026-40498 FreeScout has Authentication Bypass and Information Disclosure in SystemController via /system/cron CWE-200 9.1AICriticalAI2026-04-21
CVE-2026-40497 FreeScout Vulnerable to CSS Injection via Stored Style Tag in Mailbox Signature (CSRF Token Exfiltration) CWE-79 8.1 High2026-04-21
CVE-2026-40496 FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force CWE-330 8.2AIHighAI2026-04-21
CVE-2026-35584 FreeScout has an Unauthenticated IDOR in Open Tracking Endpoint Allows Cross-Conversation Thread Manipulation and Enumeration CWE-306 8.2AIHighAI2026-04-07

All 70 known CVE vulnerabilities affecting freescout with full Chinese analysis, references, and POCs where available.