{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40566", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.474Z", "datePublished": "2026-04-21T16:04:35.587Z", "dateUpdated": "2026-04-21T17:33:11.528Z"}, "containers": {"cna": {"title": "FreeScout vulnerable to SSRF via IMAP/SMTP Connection Test Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/efe82e31b4a0d4c0b20025d09df0615e8139ff08", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/efe82e31b4a0d4c0b20025d09df0615e8139ff08"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.213", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:04:35.587Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682), and `imap_folders` (line 773) in `app/Http/Controllers/MailboxesController.php` pass admin-configured `in_server`/`in_port` and `out_server`/`out_port` values directly to `fsockopen()` via `Helper::checkPort()` and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own `sanitizeRemoteUrl()` or `checkUrlIpAndHost()` functions. The validation block in `connectionIncomingSave()` is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via `fsockopen()`) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's `log` field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at `169[.]254[.]169[.]254` can be probed and partial response data may be leaked through protocol error messages. This is distinct from the `sanitizeRemoteUrl()` redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability."}], "source": {"advisory": "GHSA-fg98-rgx6-8x4g", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T17:33:06.910770Z", "id": "CVE-2026-40566", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:33:11.528Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40566", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.474Z", "datePublished": "2026-04-21T16:04:35.587Z", "dateUpdated": "2026-04-21T17:33:11.528Z"}, "containers": {"cna": {"title": "FreeScout vulnerable to SSRF via IMAP/SMTP Connection Test Endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "lang": "en", "description": "CWE-918: Server-Side Request Forgery (SSRF)", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/efe82e31b4a0d4c0b20025d09df0615e8139ff08", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/efe82e31b4a0d4c0b20025d09df0615e8139ff08"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.213", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:04:35.587Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682), and `imap_folders` (line 773) in `app/Http/Controllers/MailboxesController.php` pass admin-configured `in_server`/`in_port` and `out_server`/`out_port` values directly to `fsockopen()` via `Helper::checkPort()` and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own `sanitizeRemoteUrl()` or `checkUrlIpAndHost()` functions. The validation block in `connectionIncomingSave()` is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via `fsockopen()`) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's `log` field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at `169[.]254[.]169[.]254` can be probed and partial response data may be leaked through protocol error messages. This is distinct from the `sanitizeRemoteUrl()` redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability."}], "source": {"advisory": "GHSA-fg98-rgx6-8x4g", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40566", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T17:33:06.910770Z"}}}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:33:01.166Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a Server-Side Request Forgery (SSRF) vulnerability in the IMAP/SMTP connection test functionality of FreeScout's `MailboxesController`. Three AJAX actions `fetch_test` (line 731), `send_test` (line 682), and `imap_folders` (line 773) in `app/Http/Controllers/MailboxesController.php` pass admin-configured `in_server`/`in_port` and `out_server`/`out_port` values directly to `fsockopen()` via `Helper::checkPort()` and to IMAP/SMTP client connections with zero SSRF protection. There is no IP validation, no hostname restriction, no blocklist of internal ranges, and no call to the project's own `sanitizeRemoteUrl()` or `checkUrlIpAndHost()` functions. The validation block in `connectionIncomingSave()` is entirely commented out. An authenticated admin can configure a mailbox's IMAP or SMTP server to point at any internal host and port, then trigger a connection test. The server opens raw TCP connections (via `fsockopen()`) and protocol-level connections (via IMAP client or SMTP transport) to the attacker-specified target. The response differentiates open from closed ports, enabling internal network port scanning. When the IMAP client connects to a non-IMAP service, the target's service banner or error response is captured in the IMAP debug log and returned in the AJAX response's `log` field, making this a semi-blind SSRF that enables service fingerprinting. In cloud environments, the metadata endpoint at `169[.]254[.]169[.]254` can be probed and partial response data may be leaked through protocol error messages. This is distinct from the `sanitizeRemoteUrl()` redirect bypass (freescout-3) -- different code path, different root cause, different protocol layer. Version 1.8.213 patches the vulnerability."}], "id": "CVE-2026-40566", "lastModified": "2026-04-22T21:10:14.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:55.000", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/commit/efe82e31b4a0d4c0b20025d09df0615e8139ff08"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.213)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-04-21T22:44:06.936432+00:00", "value": {"mitigation_remediation": ["Upgrade FreeScout to version 1.8.213 or later to apply the vendor\u2011provided patch.", "If immediate upgrade is impractical, restrict the connection test feature to a narrowly defined set of trusted IP ranges or disable it entirely for non\u2011essential accounts.", "Implement network segmentation and firewall rules that block outbound connections from the FreeScout server to internal IP ranges not required for normal operation, thereby limiting the blast radius of any SSRF attempt."], "summary": {"action": "Immediate Patch", "impact": "Server-Side Request Forgery exposing internal hosts and port scanning capability"}, "threat_synthesis": {"affected_systems": "Versions of the freescout-help-desk freescout product older than 1.8.213 are affected. Any instance of the application using these versions with an administrative account capable of configuring mailboxes is vulnerable.", "description_and_impact": "FreeScout\u2019s MailboxesController allows an authenticated administrator to execute a Server\u2011Side Request Forgery by specifying arbitrary internal IMAP or SMTP server addresses for connection testing. The back\u2011end code directly passes the admin\u2011configured server hostname and port to low\u2011level socket or protocol clients without any IP validation, hostname restriction or blocklist. This results in the FreeScout service opening raw TCP connections and protocol\u2011level client connections to an attacker\u2011chosen target, revealing whether the port is open, and when connecting to non\u2011IMAP/SMTP services, returning the target\u2019s service banner or error message in the AJAX response\u2019s log field. In cloud deployments, this also permits probing the instance metadata endpoint, potentially leaking partial response data through protocol error messages.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 4.1, indicating moderate severity; the EPSS score is not available and the issue is not listed in the CISA KEV catalog. Nevertheless, the flaw requires authenticated administrative access, but it permits the attacker to probe internal network services, gain service fingerprints, and in some cases retrieve sensitive metadata. The attack path is straightforward: an admin configures mailbox settings to point to a chosen internal host and port, then triggers a connection test. The lack of outbound connection restrictions and the server\u2019s ability to open arbitrary sockets make exploitation highly feasible in environments where the application is reachable by authorised administrators."}}}}, "created": "2026-04-21T17:30:37.395321+00:00", "updated": "2026-04-21T22:45:16.065844+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}