{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/freescout/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.6,"id":"CVE-2026-40589"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["privilege-escalation","cve-2026-40589","freescout"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFreeScout is a self-hosted help desk and shared mailbox system. A critical vulnerability, identified as CVE-2026-40589, exists in versions prior to 1.8.214. This flaw allows a low-privileged agent to escalate their privileges by manipulating customer records. Specifically, an agent can edit a visible customer\u0026rsquo;s profile and add an email address that is already associated with a hidden customer in a different mailbox. This results in the disclosure of the hidden customer\u0026rsquo;s name and profile URL within the application\u0026rsquo;s success flash message. Additionally, the vulnerable server reassigns the hidden customer\u0026rsquo;s email address to the visible customer and rebinds all conversations from the hidden mailbox associated with that email address to the visible customer. The vulnerability was patched in version 1.8.214. This poses a significant risk to organizations using affected versions of FreeScout, as it can lead to unauthorized access to sensitive customer data and communication.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA low-privileged agent logs into the FreeScout instance.\u003c/li\u003e\n\u003cli\u003eThe agent selects a visible customer within their accessible mailbox.\u003c/li\u003e\n\u003cli\u003eThe agent attempts to edit the visible customer\u0026rsquo;s profile.\u003c/li\u003e\n\u003cli\u003eThe agent adds an email address to the visible customer\u0026rsquo;s profile that is already associated with a hidden customer in another mailbox, which the agent would normally not have access to.\u003c/li\u003e\n\u003cli\u003eThe server validates the request and, due to the vulnerability, allows the reassignment of the email address.\u003c/li\u003e\n\u003cli\u003eThe server discloses the hidden customer\u0026rsquo;s name and profile URL in the success flash message displayed to the agent.\u003c/li\u003e\n\u003cli\u003eThe server reassigns the hidden customer\u0026rsquo;s email address to the visible customer in the database.\u003c/li\u003e\n\u003cli\u003eAll conversations previously associated with the hidden customer\u0026rsquo;s email address are now accessible to the agent through the visible customer\u0026rsquo;s profile, leading to unauthorized access of customer conversations.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40589 can lead to a significant breach of confidentiality and integrity within a FreeScout instance. A low-privileged agent can gain unauthorized access to sensitive customer data, including names, profile URLs, and entire conversation histories. This can result in the compromise of customer privacy, potential regulatory violations, and damage to the organization\u0026rsquo;s reputation. The number of potential victims is directly proportional to the number of customers and mailboxes within the affected FreeScout instance.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout instances to version 1.8.214 or later to remediate CVE-2026-40589 as mentioned in the overview.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;FreeScout Hidden Customer Data Disclosure\u0026rdquo; to detect attempts to exploit this vulnerability in web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor FreeScout application logs for unusual activity related to customer profile modifications.\u003c/li\u003e\n\u003cli\u003eImplement strict access control policies within FreeScout to minimize the potential impact of compromised agent accounts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-freescout-privesc/","summary":"FreeScout versions before 1.8.214 are vulnerable to privilege escalation, allowing a low-privileged agent to reassign email addresses from hidden customers to visible customers, leading to information disclosure and unauthorized access to conversations.","title":"FreeScout Privilege Escalation via Email Address Reassignment (CVE-2026-40589)","url":"https://feed.craftedsignal.io/briefs/2026-04-freescout-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9,"id":"CVE-2026-40569"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["freescout","mass-assignment","vulnerability","email-exfiltration"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFreeScout, a self-hosted help desk and shared mailbox platform, is vulnerable to a mass assignment flaw (CVE-2026-40569) in versions prior to 1.8.213. The vulnerability resides in the \u003ccode\u003econnectionIncomingSave()\u003c/code\u003e and \u003ccode\u003econnectionOutgoingSave()\u003c/code\u003e methods within \u003ccode\u003eapp/Http/Controllers/MailboxesController.php\u003c/code\u003e.  These methods lack proper input validation, allowing an authenticated administrator to overwrite critical mailbox settings by injecting arbitrary parameters into legitimate connection setting update requests. Attackers can modify fields like \u003ccode\u003eauto_bcc\u003c/code\u003e, \u003ccode\u003eout_server\u003c/code\u003e, \u003ccode\u003eout_password\u003c/code\u003e, \u003ccode\u003esignature\u003c/code\u003e, \u003ccode\u003eauto_reply_enabled\u003c/code\u003e, and \u003ccode\u003eauto_reply_message\u003c/code\u003e. This issue allows malicious actors to silently surveil communications, redirect SMTP traffic, inject malicious content, and persistently compromise email accounts. The impact is particularly severe in multi-admin environments or when an admin session is compromised through other means (e.g., XSS). FreeScout version 1.8.213 addresses this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains authenticated access to the FreeScout admin panel, either through legitimate credentials or by exploiting another vulnerability (e.g., XSS).\u003c/li\u003e\n\u003cli\u003eThe attacker navigates to the mailbox connection settings page.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a legitimate request to update connection settings, such as IMAP or SMTP server details.\u003c/li\u003e\n\u003cli\u003eThe attacker injects malicious parameters into the request, such as \u003ccode\u003eauto_bcc=attacker@evil.com\u003c/code\u003e, which are not directly exposed in the connection settings form.\u003c/li\u003e\n\u003cli\u003eThe FreeScout application, due to the mass assignment vulnerability in \u003ccode\u003econnectionIncomingSave()\u003c/code\u003e or \u003ccode\u003econnectionOutgoingSave()\u003c/code\u003e, processes the injected parameters and updates the corresponding mailbox settings in the database.\u003c/li\u003e\n\u003cli\u003eWhen \u003ccode\u003eauto_bcc\u003c/code\u003e is set, every outgoing email from the compromised mailbox is silently BCC\u0026rsquo;d to the attacker-controlled email address via the \u003ccode\u003eSendReplyToCustomer\u003c/code\u003e job.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker could modify the \u003ccode\u003eout_server\u003c/code\u003e and \u003ccode\u003eout_password\u003c/code\u003e fields to redirect outgoing SMTP traffic through an attacker-controlled server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains persistent access to all outgoing email from the affected mailbox, enabling data exfiltration or further malicious activities like phishing.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to complete compromise of FreeScout mailboxes. An attacker could silently exfiltrate sensitive email communications, potentially impacting hundreds or thousands of users depending on the size of the organization. The injected parameters persist even after the initial attack, providing long-term access. This is especially dangerous in organizations that handle sensitive customer data or financial information. The ability to redirect SMTP traffic and inject malicious content further amplifies the risk, potentially leading to widespread phishing campaigns and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout to version 1.8.213 or later to patch CVE-2026-40569 immediately.\u003c/li\u003e\n\u003cli\u003eImplement strict input validation and sanitization for all user-supplied data, particularly in the \u003ccode\u003econnectionIncomingSave()\u003c/code\u003e and \u003ccode\u003econnectionOutgoingSave()\u003c/code\u003e methods, to prevent mass assignment vulnerabilities.\u003c/li\u003e\n\u003cli\u003eReview existing FreeScout installations for any unauthorized modifications to mailbox settings, specifically focusing on \u003ccode\u003eauto_bcc\u003c/code\u003e, \u003ccode\u003eout_server\u003c/code\u003e, \u003ccode\u003eout_password\u003c/code\u003e, \u003ccode\u003esignature\u003c/code\u003e, \u003ccode\u003eauto_reply_enabled\u003c/code\u003e, and \u003ccode\u003eauto_reply_message\u003c/code\u003e fields (requires direct database inspection).\u003c/li\u003e\n\u003cli\u003eMonitor FreeScout webserver logs for POST requests to \u003ccode\u003e/mailboxes/*/connection/incoming-save\u003c/code\u003e and \u003ccode\u003e/mailboxes/*/connection/outgoing-save\u003c/code\u003e endpoints containing unexpected parameters to detect potential exploitation attempts (see example Sigma rule below).\u003c/li\u003e\n\u003cli\u003eEnable webserver logging and ensure that POST request bodies are captured to facilitate investigation and detection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-freescout-mass-assignment/","summary":"FreeScout versions prior to 1.8.213 contain a mass assignment vulnerability allowing authenticated admins to modify sensitive mailbox settings by injecting parameters into connection settings requests, leading to email exfiltration and account compromise.","title":"FreeScout Mass Assignment Vulnerability (CVE-2026-40569)","url":"https://feed.craftedsignal.io/briefs/2026-04-freescout-mass-assignment/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-41189"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["freescout","authorization","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFreeScout, a self-hosted help desk and shared mailbox platform, is affected by an authorization bypass vulnerability. Specifically, versions prior to 1.8.215 fail to properly restrict access to customer threads within conversations. The vulnerability resides in the \u003ccode\u003eThreadPolicy::edit()\u003c/code\u003e function, which checks mailbox access but neglects to enforce the \u003ccode\u003eConversationPolicy\u003c/code\u003e\u0026rsquo;s assigned-only restriction.  This allows a user who should not have access to a conversation to still load and modify customer-authored threads contained within that conversation. Upgrading to version 1.8.215 resolves this vulnerability. This allows unauthorized modification of customer communications, potentially leading to data breaches or manipulated customer service interactions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to a FreeScout user account with limited privileges.\u003c/li\u003e\n\u003cli\u003eAttacker attempts to access a conversation thread for which they lack explicit authorization.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s \u003ccode\u003eThreadPolicy::edit()\u003c/code\u003e function is invoked to authorize the edit action.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eThreadPolicy::edit()\u003c/code\u003e function incorrectly authorizes the action by only checking mailbox access, bypassing the \u003ccode\u003eConversationPolicy\u003c/code\u003e\u0026rsquo;s assigned-only restriction.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully loads the customer-authored thread, gaining unauthorized access.\u003c/li\u003e\n\u003cli\u003eAttacker modifies the content of the customer-authored thread.\u003c/li\u003e\n\u003cli\u003eThe modified thread is saved, altering the conversation history.\u003c/li\u003e\n\u003cli\u003eThe change impacts communications with the customer.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability (CVE-2026-41189) allows unauthorized users to modify customer communications within the FreeScout help desk platform.  Successful exploitation can lead to data integrity issues, potentially impacting all customer conversations within the affected FreeScout instance. The severity is heightened by the potential for attackers to manipulate sensitive information, leading to reputational damage, legal ramifications, and loss of customer trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout to version 1.8.215 or later to patch CVE-2026-41189.\u003c/li\u003e\n\u003cli\u003eMonitor FreeScout web server logs for unauthorized access attempts using the provided Sigma rule.\u003c/li\u003e\n\u003cli\u003eReview user access controls and ensure that the principle of least privilege is enforced to limit the impact of potential compromises.\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect potential unauthorized thread editing attempts based on HTTP request patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-22T12:00:00Z","date_published":"2026-04-22T12:00:00Z","id":"/briefs/2026-04-freescout-authz-bypass/","summary":"FreeScout versions before 1.8.215 are vulnerable to an incorrect authorization issue where users without conversation access can edit customer threads due to a flaw in the `ThreadPolicy::edit()` function.","title":"FreeScout Incorrect Authorization Vulnerability (CVE-2026-41189)","url":"https://feed.craftedsignal.io/briefs/2026-04-freescout-authz-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-40497"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["freescout","css-injection","privilege-escalation","cve-2026-40497"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFreeScout, a self-hosted help desk and shared mailbox platform, is susceptible to a CSS injection vulnerability (CVE-2026-40497) in versions prior to 1.8.213. The vulnerability resides within the \u003ccode\u003eHelper::stripDangerousTags()\u003c/code\u003e function, which inadequately sanitizes the mailbox signature field. While the function removes \u003ccode\u003e\u0026lt;script\u0026gt;\u003c/code\u003e, \u003ccode\u003e\u0026lt;form\u0026gt;\u003c/code\u003e, \u003ccode\u003e\u0026lt;iframe\u0026gt;\u003c/code\u003e, and \u003ccode\u003e\u0026lt;object\u0026gt;\u003c/code\u003e tags, it fails to strip \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e tags. An attacker with access to mailbox settings, either an administrator or an agent with sufficient permissions, can inject malicious CSS code into the signature field via POST requests to \u003ccode\u003e/mailbox/settings/{id}\u003c/code\u003e. This injected CSS is then rendered unescaped in conversation views using \u003ccode\u003e{!! $conversation-\u0026gt;getSignatureProcessed([], true) !!}\u003c/code\u003e. The application\u0026rsquo;s CSP, which allows \u003ccode\u003estyle-src * 'self' 'unsafe-inline'\u003c/code\u003e, enables the execution of injected inline styles. This vulnerability allows attackers to exfiltrate CSRF tokens and ultimately escalate privileges.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains access to FreeScout with agent or admin privileges and permission to modify mailbox settings.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the mailbox settings page.\u003c/li\u003e\n\u003cli\u003eAttacker injects malicious CSS code, including CSS attribute selectors designed to exfiltrate CSRF tokens, into the mailbox signature field via a POST request to \u003ccode\u003e/mailbox/settings/{id}\u003c/code\u003e.  The injected CSS leverages \u003ccode\u003estyle-src * 'self' 'unsafe-inline'\u003c/code\u003e in the Content Security Policy.\u003c/li\u003e\n\u003cli\u003eThe FreeScout server saves the malicious signature to the database.\u003c/li\u003e\n\u003cli\u003eA victim (another agent or admin) views a conversation within the affected mailbox, causing the malicious signature to be rendered via \u003ccode\u003e{!! $conversation-\u0026gt;getSignatureProcessed([], true) !!}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe injected CSS executes in the victim\u0026rsquo;s browser and exfiltrates the CSRF token, potentially via a DNS request or HTTP request to an attacker-controlled server (not detailed in source).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen CSRF token to perform unauthorized actions on behalf of the victim.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges by creating new admin accounts or modifying existing user credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to escalate privileges from an agent to an administrator within the FreeScout platform. This could lead to a complete compromise of the help desk system. An attacker could create new administrator accounts, modify existing user credentials, access sensitive customer data, and potentially disrupt the entire help desk operation. While the exact number of potentially affected FreeScout instances is unknown, all installations prior to version 1.8.213 are vulnerable if an attacker gains valid access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade FreeScout to version 1.8.213 or later to apply the updated fix for CVE-2026-40497.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u0026ldquo;FreeScout Suspicious Mailbox Signature Update\u0026rdquo; to detect attempts to inject CSS into the mailbox signature field.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for POST requests to \u003ccode\u003e/mailbox/settings/{id}\u003c/code\u003e and inspect the request body for \u003ccode\u003e\u0026lt;style\u0026gt;\u003c/code\u003e tags or suspicious CSS syntax to potentially detect attempted exploitation (webserver log source).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-21T03:16:08Z","date_published":"2026-04-21T03:16:08Z","id":"/briefs/2026-04-freescout-css-injection/","summary":"FreeScout versions prior to 1.8.213 are vulnerable to CSS injection via the mailbox signature, allowing an attacker with mailbox settings access to exfiltrate CSRF tokens and escalate privileges.","title":"FreeScout CSS Injection Vulnerability in Mailbox Signature Leads to Privilege Escalation (CVE-2026-40497)","url":"https://feed.craftedsignal.io/briefs/2026-04-freescout-css-injection/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["freescout","rce","vulnerability","apache"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eFreeScout, a popular open-source help desk solution, is affected by two critical vulnerabilities, CVE-2026-27636 and CVE-2026-27637. Disclosed in February 2026, these vulnerabilities can be exploited independently or chained to achieve remote code execution. CVE-2026-27636 stems from insufficient file upload restrictions, while CVE-2026-27637 relates to predictable authentication tokens. Successful exploitation allows attackers to execute arbitrary system commands, read/write files, pivot to…\u003c/p\u003e\n","date_modified":"2026-02-25T14:05:50Z","date_published":"2026-02-25T14:05:50Z","id":"/briefs/2026-02-freescout-rce/","summary":"Critical vulnerabilities, CVE-2026-27636 and CVE-2026-27637, exist in FreeScout Help Desk that could be exploited to achieve remote code execution, potentially leading to data exfiltration and system compromise.","title":"Critical Vulnerabilities in FreeScout Help Desk Allow Remote Code Execution","url":"https://feed.craftedsignal.io/briefs/2026-02-freescout-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Freescout","version":"https://jsonfeed.org/version/1.1"}