Stored Cross-Site Scripting in FreeScout by FreeScout
CVE-2026-32754

9.3CRITICAL

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
19 March 2026

What is CVE-2026-32754?

FreeScout, a free help desk solution built on PHP's Laravel framework, exhibits a vulnerability in its email notification templates. Versions 1.8.208 and earlier allow attackers to exploit stored Cross-Site Scripting (XSS) due to unsanitized email body data stored in the database. When these emails are processed and sent to users, the vulnerable syntax used for rendering email notifications can enable HTML injection, which poses significant risks such as phishing attacks, session hijacking, and even account takeovers, affecting all recipients of a crafted email. This issue was addressed in version 1.8.209.

Affected Version(s)

freescout < 1.8.209

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/3...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.