Cross-Site Scripting in FreeScout Help Desk by Laravel Framework
CVE-2026-41904

7.6HIGH

Key Information:

Vendor: Freescout-help-desk
Status: Freescout
Vendor: CVE Published:; 7 May 2026

🔔 Create Freescout-help-desk Vulnerability Alert

What is CVE-2026-41904?

FreeScout, a help desk solution developed using the Laravel framework, has a vulnerability that allows a user with updateAutoReply permissions to embed a Cross-Site Scripting (XSS) payload in the auto-reply messages. Upon receiving an email from customers, the auto-reply response is sent with the unescaped payload. As a result, any recipient using webmail or mail clients could inadvertently run the malicious code. This vulnerability is mitigated in version 1.8.217, where the issue has been addressed.

Affected Version(s)

freescout < 1.8.217

References

https://github.com/freescout-help-desk/freescout/security...

x_refsource_CONFIRM

https://github.com/freescout-help-desk/freescout/releases...

x_refsource_MISC

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 7, 2026
Vulnerability Reserved
Apr 22, 2026

CVE-2026-41904 Data

JSON