Cross-Site Scripting Vulnerability in FreeScout Help Desk Software
CVE-2026-40497

8.1HIGH

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40497?

A vulnerability in FreeScout allows attackers with access to mailbox settings to inject CSS through unescaped rendering of the signature field. This opens the door for attackers to exfiltrate CSRF tokens from agents or admins viewing the affected conversations. The issue arises due to the insufficient cleansing of the signature field, specifically the failure to strip <style> tags, which enables the injection of harmful styles. This vulnerability represents an enhancement of previously known issues, allowing for potential privilege escalation as attackers could perform state-changing actions impersonating the victim. The issue has been addressed in version 1.8.213 with improved tag stripping functionalities.

Affected Version(s)

freescout < 1.8.213

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/5...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.