CVE-2026-32754
FreeScout · FreeScout
FreeScout versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) via unsanitized email notification templates, allowing unauthenticated attackers to execute arbitrary scripts.
Executive summary
A critical Stored XSS vulnerability in FreeScout allows unauthenticated attackers to conduct session hijacking and account takeover by injecting malicious payloads into email notifications.
Vulnerability
This is a Stored Cross-Site Scripting (XSS) vulnerability originating from the improper sanitization of incoming email bodies within the Laravel framework. An unauthenticated attacker can inject malicious HTML or JavaScript that executes when viewed by an agent or administrator, leading to credential theft or account takeover.
Business impact
The exploitation of this vulnerability poses a severe risk to organizational security, as it allows attackers to compromise administrative accounts and gain unauthorized access to sensitive help desk communications. Given the CVSS score of 9.3, this flaw represents a critical threat to data confidentiality and integrity, potentially leading to widespread account compromise and reputational damage.
Remediation
Immediate Action: Upgrade FreeScout to version 1.8.209 or later immediately to apply the necessary output sanitization.
Proactive Monitoring: Monitor help desk email traffic for unusual patterns and review system logs for suspicious activity originating from external email addresses.
Compensating Controls: Implement a Content Security Policy (CSP) to restrict the execution of unauthorized scripts and utilize a WAF to filter common XSS payloads in incoming emails.
Exploitation status
Public Exploit Available: False
Analyst recommendation
The severity of this vulnerability necessitates immediate action. Administrators must prioritize updating the FreeScout application to version 1.8.209 to mitigate the risk of remote code execution and unauthorized account access.