{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40567", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.474Z", "datePublished": "2026-04-21T16:06:39.878Z", "dateUpdated": "2026-04-21T19:17:33.873Z"}, "containers": {"cna": {"title": "FreeScout has HTML Injection in Outgoing Emails via Unsanitized Customer Name in Signature Variables", "problemTypes": [{"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v62h-5528", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v62h-5528"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/9131b16f80eade81002cb9809a2603f6b61981cf", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/9131b16f80eade81002cb9809a2603f6b61981cf"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.213", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:06:39.878Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and rendered unescaped into outgoing reply emails via the `{%customer.fullName%}` signature variable. This allows embedding phishing links, tracking pixels, and spoofed content inside legitimate support emails sent from the organization's address. Version 1.8.213 fixes the issue."}], "source": {"advisory": "GHSA-q8v4-v62h-5528", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v62h-5528", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T19:17:14.445574Z", "id": "CVE-2026-40567", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:17:33.873Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40567", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T19:17:14.445574Z"}}}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v62h-5528", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:17:30.844Z"}}], "cna": {"title": "FreeScout has HTML Injection in Outgoing Emails via Unsanitized Customer Name in Signature Variables", "source": {"advisory": "GHSA-q8v4-v62h-5528", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.213"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v62h-5528", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v62h-5528", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-help-desk/freescout/commit/9131b16f80eade81002cb9809a2603f6b61981cf", "name": "https://github.com/freescout-help-desk/freescout/commit/9131b16f80eade81002cb9809a2603f6b61981cf", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and rendered unescaped into outgoing reply emails via the `{%customer.fullName%}` signature variable. This allows embedding phishing links, tracking pixels, and spoofed content inside legitimate support emails sent from the organization's address. Version 1.8.213 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:06:39.878Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40567", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:17:33.873Z", "dateReserved": "2026-04-14T13:24:29.474Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:06:39.878Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and rendered unescaped into outgoing reply emails via the `{%customer.fullName%}` signature variable. This allows embedding phishing links, tracking pixels, and spoofed content inside legitimate support emails sent from the organization's address. Version 1.8.213 fixes the issue."}], "id": "CVE-2026-40567", "lastModified": "2026-04-22T21:10:14.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:55.153", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/commit/9131b16f80eade81002cb9809a2603f6b61981cf"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v62h-5528"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v62h-5528"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.213)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-04-22T03:04:47.917478+00:00", "value": {"mitigation_remediation": ["Upgrade FreeScout to version 1.8.213 or later so that customer names are properly sanitized before use in email signatures.", "Configure your mail server or email gateway to sanitize or remove HTML code from outgoing emails or block known injection patterns.", "Disable or restrict the use of the {%customer.fullName%} variable in email signatures until the patch is applied, or switch to plain-text signatures."], "summary": {"action": "Patch", "impact": "HTML Injection in Outgoing Emails via Unsanitized Signature Variable"}, "threat_synthesis": {"affected_systems": "The issue affects the freescout-help-desk:freescout product, specifically all installations running versions older than 1.8.213. Versions 1.8.213 and later include a patch that sanitizes the customer name before rendering it in signatures, eliminating the injection vector. Users running the free self\u2011hosted help desk and shared mailbox solution should verify that they are on a supported release.\n", "description_and_impact": "FreeScout has a flaw that allows an attacker to inject arbitrary HTML into outgoing support emails. The vulnerability arises because the system stores the customer\u2019s full name without sanitization and later renders it unescaped inside the signature variable {%customer.fullName%}. By sending an email with a crafted From display name, an attacker can embed phishing links, tracking pixels, or other malicious content that appears as part of legitimate outgoing emails. The weakness is a classic example of improper input handling (CWE-116), and its use in email signatures enables credential\u2011stealing and social\u2011engineering attacks against recipients.\n", "risk_and_exploitability": "The CVSS score of 5.8 indicates a moderate risk, combining potential abuse (phishing) with limited impact on system integrity. The EPSS score is not provided, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit the flaw by simply sending a spam or phishing email from any external address; no authentication is required, meaning the vector is easily achievable. Because the payload is delivered via Office or webmail clients that interpret HTML in messages, the impact can be immediate and widespread if the organization\u2019s support team forwards the compromised emails to customers.\n"}}}}, "created": "2026-04-21T17:45:16.245477+00:00", "updated": "2026-04-22T03:15:06.408522+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}