{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40568", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.474Z", "datePublished": "2026-04-21T16:08:37.296Z", "dateUpdated": "2026-04-21T20:37:44.431Z"}, "containers": {"cna": {"title": "FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w2f5-6wcv-677r", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w2f5-6wcv-677r"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/1d83e1cffb0bf8d109625313530b36b0f5910b3f", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/1d83e1cffb0bf8d109625313530b36b0f5910b3f"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.213", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:08:37.296Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only four HTML tags (`script`, `form`, `iframe`, `object`) and does not remove event handler attributes. When a mailbox signature is saved via `MailboxesController::updateSave()` (`app/Http/Controllers/MailboxesController.php:267`), HTML elements such as `<img>`, `<svg>`, and `<details>` with event handler attributes like `onerror` and `onload` pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade `{!! !!}` tag in `editor_bottom_toolbar.blade.php:6` and re-inserted into the visible DOM by jQuery `.html()` at `main.js:1789-1790`, triggering the injected event handlers. Any authenticated user with the `ACCESS_PERM_SIGNATURE` (`sig`) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue."}], "source": {"advisory": "GHSA-w2f5-6wcv-677r", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w2f5-6wcv-677r", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T20:32:29.436684Z", "id": "CVE-2026-40568", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:37:44.431Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40568", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T20:32:29.436684Z"}}}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w2f5-6wcv-677r", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T20:32:39.519Z"}}], "cna": {"title": "FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization", "source": {"advisory": "GHSA-w2f5-6wcv-677r", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.213"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w2f5-6wcv-677r", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w2f5-6wcv-677r", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-help-desk/freescout/commit/1d83e1cffb0bf8d109625313530b36b0f5910b3f", "name": "https://github.com/freescout-help-desk/freescout/commit/1d83e1cffb0bf8d109625313530b36b0f5910b3f", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only four HTML tags (`script`, `form`, `iframe`, `object`) and does not remove event handler attributes. When a mailbox signature is saved via `MailboxesController::updateSave()` (`app/Http/Controllers/MailboxesController.php:267`), HTML elements such as `<img>`, `<svg>`, and `<details>` with event handler attributes like `onerror` and `onload` pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade `{!! !!}` tag in `editor_bottom_toolbar.blade.php:6` and re-inserted into the visible DOM by jQuery `.html()` at `main.js:1789-1790`, triggering the injected event handlers. Any authenticated user with the `ACCESS_PERM_SIGNATURE` (`sig`) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T16:08:37.296Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40568", "state": "PUBLISHED", "dateUpdated": "2026-04-21T20:37:44.431Z", "dateReserved": "2026-04-14T13:24:29.474Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T16:08:37.296Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only four HTML tags (`script`, `form`, `iframe`, `object`) and does not remove event handler attributes. When a mailbox signature is saved via `MailboxesController::updateSave()` (`app/Http/Controllers/MailboxesController.php:267`), HTML elements such as `<img>`, `<svg>`, and `<details>` with event handler attributes like `onerror` and `onload` pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade `{!! !!}` tag in `editor_bottom_toolbar.blade.php:6` and re-inserted into the visible DOM by jQuery `.html()` at `main.js:1789-1790`, triggering the injected event handlers. Any authenticated user with the `ACCESS_PERM_SIGNATURE` (`sig`) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue."}], "id": "CVE-2026-40568", "lastModified": "2026-04-22T21:10:14.290", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T17:16:55.297", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/commit/1d83e1cffb0bf8d109625313530b36b0f5910b3f"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w2f5-6wcv-677r"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w2f5-6wcv-677r"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.213)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-04-21T22:43:16.533231+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011issued update to FreeScout 1.8.213 or later.", "Revoke the ACCESS_PERM_SIGNATURE permission from non\u2011administrators and limit mailbox signature editing to trusted users only.", "Search the database for existing mailbox signatures and remove any that contain unexpected tags or event handlers.", "If an immediate upgrade is not possible, disable the mailbox signature feature or enforce strict input validation that blocks all tags and event attributes."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting (XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the free, self\u2011hosted help\u2011desk platform Freescout, version 1.8.212 and earlier.", "description_and_impact": "FreeScout stores mailbox signatures without complete HTML filtering; only four tags are blocked and event handler attributes are left intact. When an authenticated user with signature permission saves a signature containing elements such as <img>, <svg>, or <details> that carry onerror/onload handlers, the malicious code is persisted in the database. The signature is later rendered as raw HTML and inserted into the page via JavaScript. The embedded handlers execute automatically whenever any agent or administrator opens a conversation, enabling session hijacking, phishing overlays that bypass content\u2011security policies in some browsers, and escalation to admin capabilities such as mass\u2011assignment and even worm\u2011like propagation across mailboxes.", "risk_and_exploitability": "The flaw carries a CVSS score of 8.5, indicating high severity. EPSS information is not available, and the issue is not listed in the CISA KEV catalog. Attackers must be authenticated and be granted the ACCESS_PERM_SIGNATURE permission, a delegatable, non\u2011admin right, to insert malicious signatures. Once injected, the payload runs immediately without victim interaction, making exploitation straightforward for anyone who can reach a mailbox conversation on the affected system."}}}}, "created": "2026-04-21T17:45:16.244833+00:00", "updated": "2026-04-21T22:45:16.064257+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}