Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

freescout-help-desk — Vulnerabilities & Security Advisories 61

Browse all 61 CVE security advisories affecting freescout-help-desk. AI-powered Chinese analysis, POCs, and references for each vulnerability.

FreeScout is an open-source, self-hosted help desk application designed to manage customer support tickets via email, serving as a cost-effective alternative to commercial platforms. Despite its utility, the software has a significant security history, with 56 Common Vulnerabilities and Exposures (CVEs) currently recorded. These vulnerabilities predominantly involve cross-site scripting (XSS), SQL injection, and remote code execution (RCE), often stemming from insufficient input validation and improper access controls. Several incidents highlight critical privilege escalation flaws that allow unauthenticated users to gain administrative access or execute arbitrary commands on the host system. The high volume of disclosed CVEs indicates persistent maintenance challenges regarding code quality and security auditing. Organizations deploying FreeScout must prioritize rigorous patch management and network segmentation to mitigate these known risks, as the application’s architecture has repeatedly demonstrated susceptibility to standard web application attacks.

Top products by freescout-help-desk: freescout
CVE IDTitleCVSSSeverityPublished
CVE-2026-41906 FreeScout: Conversation Change-Customer Cross-Mailbox Authorization Bypass — freescoutCWE-639 7.1 High2026-05-07
CVE-2026-41905 FreeScout vulnerable to SSRF via Helper::sanitizeRemoteUrl: redirect destination not re-validated, allowing internal HTTP / cloud-metadata access — freescoutCWE-918 7.7 High2026-05-07
CVE-2026-41904 FreeScout Stored XSS vulnerability in mailbox auto-reply: payload reaches every customer's email client (no CSP), bypassing strip_tags validator with mixed text+HTML content — freescoutCWE-79 7.6 High2026-05-07
CVE-2026-41902 FreeScout's user invitation hash never expires: permanent unauthenticated account takeover if invite link leaks — freescoutCWE-613 9.1 Critical2026-05-07
CVE-2026-41903 FreeScout IDOR Vulnerability: PERM_EDIT_USERS allows modifying any user's notification subscriptions (incomplete fix of CVE-2025-48472) — freescoutCWE-863 5.4 Medium2026-05-07
CVE-2026-41194 FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable — freescoutCWE-352 5.4 Medium2026-04-21
CVE-2026-41193 FreeScout has Zip Slip path traversal in module installation that allows arbitrary file write leading to RCE — freescoutCWE-22 9.1 Critical2026-04-21
CVE-2026-41192 FreeScout's client-controlled attachment IDs allow deletion of existing conversation attachments — freescoutCWE-862 7.1 High2026-04-21
CVE-2026-41191 FreeScout's signature only mailbox permission allows unauthorized mailbox chat setting changes — freescoutCWE-863 7.1 High2026-04-21
CVE-2026-41190 FreeScout has assigned-only visibility bypass via save_draft that allows hidden conversation draft injection — freescoutCWE-863 7.1 High2026-04-21
CVE-2026-41189 FreeScout has assigned-only visibility bypass that allows editing hidden customer-authored threads — freescoutCWE-863 7.1 High2026-04-21
CVE-2026-41183 FreeScout allows non-folder conversation queries to disclose assigned-only hidden conversations — freescoutCWE-200 4.3 Medium2026-04-21
CVE-2026-40592 FreeScout's cross-user undo reply allows mailbox peers to recall another agent's outbound reply — freescoutCWE-862 5.9 Medium2026-04-21
CVE-2026-40591 FreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hidden Customer Modification — freescoutCWE-639 7.1 High2026-04-21
CVE-2026-40590 FreeScout's Customer AJAX Create Modifies Hidden Existing Customer — freescoutCWE-639 4.3 Medium2026-04-21
CVE-2026-40589 FreeScout has Customer Edit Cross-Mailbox Email Takeover — freescoutCWE-639 7.6 High2026-04-21
CVE-2026-40570 FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII — freescoutCWE-639 4.3AIMediumAI2026-04-21
CVE-2026-40569 FreeScout's Mass Assignment in Mailbox Connection Settings Enables Silent Email Exfiltration — freescoutCWE-284 9.0 Critical2026-04-21
CVE-2026-40568 FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization — freescoutCWE-79 8.5 High2026-04-21
CVE-2026-40567 FreeScout has HTML Injection in Outgoing Emails via Unsanitized Customer Name in Signature Variables — freescoutCWE-116 5.8 Medium2026-04-21
CVE-2026-40566 FreeScout vulnerable to SSRF via IMAP/SMTP Connection Test Endpoints — freescoutCWE-918 4.1 Medium2026-04-21
CVE-2026-40565 FreeScout has Stored XSS / CSS Injection via linkify() — Unescaped URL in Anchor href — freescoutCWE-79 6.1 Medium2026-04-21
CVE-2026-40498 FreeScout has Authentication Bypass and Information Disclosure in SystemController via /system/cron — freescoutCWE-200 9.1AICriticalAI2026-04-21
CVE-2026-40497 FreeScout Vulnerable to CSS Injection via Stored Style Tag in Mailbox Signature (CSRF Token Exfiltration) — freescoutCWE-79 8.1 High2026-04-21
CVE-2026-40496 FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force — freescoutCWE-330 8.2AIHighAI2026-04-21
CVE-2026-35584 FreeScout has an Unauthenticated IDOR in Open Tracking Endpoint Allows Cross-Conversation Thread Manipulation and Enumeration — freescoutCWE-306 8.2AIHighAI2026-04-07
CVE-2026-39384 FreeScout Customer Merge Cross-Mailbox Authorization Bypass — freescoutCWE-639 7.6 High2026-04-07
CVE-2026-34442 FreeScout: Host Header Injection Leading to External Resource Loading and Open Redirect in FreeScout — freescoutCWE-20 5.4 Medium2026-03-31
CVE-2026-34443 FreeScout: SSRF protection bypass via broken CIDR check in checkIpByMask() — freescoutCWE-918 7.5 -2026-03-31
CVE-2026-32754 FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!}) — freescoutCWE-79 9.3 Critical2026-03-19

This page lists every published CVE security advisory associated with freescout-help-desk. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.