SSRF in Freescout-help-desk Freescout

CVE-2026-34443

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, checkIpByMask() in app/Misc/Helper.php checks whether the input IP contains a / character. Plain IP addresses never contain /, so…

Vulnerability class: SSRF (Server-Side Request Forgery)

EPSS: 0.001 (17.2th percentile) — read the EPSS interpretation.

Affected products

Freescout-help-desk Freescout — versions < 1.8.211

Weakness classification (CWE)

CWE-918 — Server-Side Request Forgery (SSRF)

References

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-c9v3-4c59-x5q2 (x_refsource_CONFIRM)
https://github.com/freescout-help-desk/freescout/commit/ca6d5bb572d3e8f52a0e654a8623a53cb0fdd580 (x_refsource_MISC)
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.211 (x_refsource_MISC)