{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40497/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-40497"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["freescout","css-injection","privilege-escalation","cve-2026-40497"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFreeScout, a self-hosted help desk and shared mailbox platform, is susceptible to a CSS injection vulnerability (CVE-2026-40497) in versions prior to 1.8.213. The vulnerability resides within the \u003ccode\u003eHelper::stripDangerousTags()\u003c/code\u003e function, which inadequately sanitizes the mailbox signature field. While the function removes \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e, \u003ccode\u003e\u0026lt;form\u0026gt;\u003c/code\u003e, \u003ccode\u003e\u0026lt;iframe\u0026gt;\u003c/code\u003e, and \u003ccode\u003e\u0026lt;object\u0026gt;\u003c/code\u003e tags, it fails to strip \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e tags. An attacker with access to mailbox settings, either an administrator or an agent with sufficient permissions, can inject malicious CSS code into the signature field via POST requests to \u003ccode\u003e/mailbox/settings/{id}\u003c/code\u003e. This injected CSS is then rendered unescaped in conversation views using \u003ccode\u003e{!! $conversation-\u0026gt;getSignatureProcessed([], true) !!}\u003c/code\u003e. The application\u0026rsquo;s CSP, which allows \u003ccode\u003estyle-src * 'self' 'unsafe-inline'\u003c/code\u003e, enables the execution of injected inline styles. This vulnerability allows attackers to exfiltrate CSRF tokens and ultimately escalate privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to FreeScout with agent or admin privileges and permission to modify mailbox settings.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the mailbox settings page.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious CSS code, including CSS attribute selectors designed to exfiltrate CSRF tokens, into the mailbox signature field via a POST request to \u003ccode\u003e/mailbox/settings/{id}\u003c/code\u003e.  The injected CSS leverages \u003ccode\u003estyle-src * 'self' 'unsafe-inline'\u003c/code\u003e in the Content Security Policy.\u003c/li\u003e\n\u003cli\u003eThe FreeScout server saves the malicious signature to the database.\u003c/li\u003e\n\u003cli\u003eA victim (another agent or admin) views a conversation within the affected mailbox, causing the malicious signature to be rendered via \u003ccode\u003e{!! $conversation-\u0026gt;getSignatureProcessed([], true) !!}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected CSS executes in the victim\u0026rsquo;s browser and exfiltrates the CSRF token, potentially via a DNS request or HTTP request to an attacker-controlled server (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen CSRF token to perform unauthorized actions on behalf of the victim.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by creating new admin accounts or modifying existing user credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to escalate privileges from an agent to an administrator within the FreeScout platform. This could lead to a complete compromise of the help desk system. An attacker could create new administrator accounts, modify existing user credentials, access sensitive customer data, and potentially disrupt the entire help desk operation. While the exact number of potentially affected FreeScout instances is unknown, all installations prior to version 1.8.213 are vulnerable if an attacker gains valid access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout to version 1.8.213 or later to apply the updated fix for CVE-2026-40497.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;FreeScout Suspicious Mailbox Signature Update\u0026rdquo; to detect attempts to inject CSS into the mailbox signature field.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/mailbox/settings/{id}\u003c/code\u003e and inspect the request body for \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e tags or suspicious CSS syntax to potentially detect attempted exploitation (webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T03:16:08Z","date_published":"2026-04-21T03:16:08Z","id":"/briefs/2026-04-freescout-css-injection/","summary":"FreeScout versions prior to 1.8.213 are vulnerable to CSS injection via the mailbox signature, allowing an attacker with mailbox settings access to exfiltrate CSRF tokens and escalate privileges.","title":"FreeScout CSS Injection Vulnerability in Mailbox Signature Leads to Privilege Escalation (CVE-2026-40497)","url":"https://feed.craftedsignal.io/briefs/2026-04-freescout-css-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40497","version":"https://jsonfeed.org/version/1.1"}