Arbitrary HTML Injection in FreeScout Help Desk Software by Vendor FreeScout
CVE-2026-40567

5.8MEDIUM

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
21 April 2026

What is CVE-2026-40567?

FreeScout, a self-hosted help desk and shared mailbox solution, previously permitted an unauthenticated attacker to inject arbitrary HTML into outgoing emails. This occurred when an attacker sent an email with a specially crafted From display name that was stored unsanitized in the database. The injected HTML was later rendered unescaped in outgoing replies, making it possible for attackers to embed phishing links, tracking pixels, or spoofed content in emails sent from legitimate support addresses. The issue has been resolved in version 1.8.213.

Affected Version(s)

freescout < 1.8.213

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/9...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V3.1

Score:
5.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.