Freescout-help-desk Freescout
65 CVEs affecting Freescout-help-desk Freescout. Latest disclosed: 2026-05-29. Critical: 6, High: 14.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-28289 | Critical | 10.0 | 2026-03-03 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and ear… |
CVE-2026-27637 | Critical | 9.8 | 2026-02-25 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predicta… |
CVE-2026-32754 | Critical | 9.3 | 2026-03-19 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XS… |
CVE-2026-41902 | Critical | 9.1 | 2026-05-07 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-chara… |
CVE-2026-41193 | Critical | 9.1 | 2026-04-21 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without v… |
CVE-2026-40569 | Critical | 9.0 | 2026-04-21 | FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a mass assignment vulnerability in the mailbox connection settings… |
CVE-2026-27636 | High | 8.8 | 2026-02-25 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/M… |
CVE-2026-40568 | High | 8.5 | 2026-04-21 | FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox s… |
CVE-2026-40497 | High | 8.1 | 2026-04-21 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::stripDangerousTags()` removes `<script>`, `<form>`… |
CVE-2026-41905 | High | 7.7 | 2026-05-07 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, Helper::sanitizeRemoteUrl() in app/Misc/Helper.php… |
CVE-2026-41904 | High | 7.6 | 2026-05-07 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, a user with updateAutoReply permission can store a… |
CVE-2026-40589 | High | 7.6 | 2026-04-21 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, a low-privileged agent can edit a visible customer and add an email add… |
CVE-2026-39384 | High | 7.6 | 2026-04-07 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.212, FreeScout does not take the limit_user_customer_visibility… |
CVE-2026-47123 | High | 7.5 | 2026-05-29 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.220, the email processing pipeline in FreeScout's FetchEmails c… |
CVE-2026-41906 | High | 7.1 | 2026-05-07 | FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.214, the Change Customer modal correctly hides out-of-s… |
CVE-2026-41192 | High | 7.1 | 2026-04-21 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment ID… |
CVE-2026-41191 | High | 7.1 | 2026-04-21 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesController::updateSave()` persists `chat_start_new` outside t… |
CVE-2026-41190 | High | 7.1 | 2026-04-21 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, direct conversa… |
CVE-2026-41189 | High | 7.1 | 2026-04-21 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through `ThreadPolicy::edit()`, w… |
CVE-2026-40591 | High | 7.1 | 2026-04-21 | FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `custo… |