CVE-2026-40568

Source
https://cve.org/CVERecord?id=CVE-2026-40568
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40568.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40568
Aliases
  • GHSA-w2f5-6wcv-677r
Published
2026-04-21T16:08:37.296Z
Modified
2026-07-15T01:48:54.425030166Z
Severity
  • 8.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N CVSS Calculator
Summary
FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization
Details

FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function Helper::stripDangerousTags() (app/Misc/Helper.php:568) uses an incomplete blocklist of only four HTML tags (script, form, iframe, object) and does not remove event handler attributes. When a mailbox signature is saved via MailboxesController::updateSave() (app/Http/Controllers/MailboxesController.php:267), HTML elements such as <img>, <svg>, and <details> with event handler attributes like onerror and onload pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade {!! !!} tag in editor_bottom_toolbar.blade.php:6 and re-inserted into the visible DOM by jQuery .html() at main.js:1789-1790, triggering the injected event handlers. Any authenticated user with the ACCESS_PERM_SIGNATURE (sig) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40568.json",
    "cwe_ids": [
        "CWE-116",
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/freescout-help-desk/freescout

Affected ranges

Type
GIT
Repo
https://github.com/freescout-help-desk/freescout
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.8.213"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

1.*
1.0.0
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.1.0
1.1.1
1.1.10
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.3.0
1.3.1
1.3.10
1.3.11
1.3.12
1.3.13
1.3.14
1.3.15
1.3.16
1.3.17
1.3.18
1.3.19
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.4.0
1.4.1
1.4.10
1.4.11
1.4.12
1.4.2
1.4.3
1.4.4
1.4.6
1.4.7
1.4.8
1.4.9
1.5.0
1.5.1
1.5.10
1.5.11
1.5.12
1.5.13
1.5.14
1.5.15
1.5.2
1.5.3
1.5.4
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.6.0
1.6.1
1.6.10
1.6.11
1.6.12
1.6.13
1.6.14
1.6.15
1.6.16
1.6.17
1.6.18
1.6.19
1.6.2
1.6.20
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.7.0
1.7.1
1.7.10
1.7.11
1.7.12
1.7.13
1.7.14
1.7.15
1.7.16
1.7.17
1.7.18
1.7.19
1.7.2
1.7.20
1.7.21
1.7.22
1.7.23
1.7.24
1.7.25
1.7.26
1.7.27
1.7.28
1.7.29
1.7.3
1.7.30
1.7.4
1.7.5
1.7.6
1.7.7
1.7.9
1.8.0
1.8.1
1.8.10
1.8.100
1.8.101
1.8.102
1.8.103
1.8.104
1.8.105
1.8.106
1.8.107
1.8.108
1.8.109
1.8.11
1.8.110
1.8.111
1.8.112
1.8.113
1.8.114
1.8.115
1.8.116
1.8.117
1.8.118
1.8.119
1.8.12
1.8.120
1.8.121
1.8.122
1.8.123
1.8.124
1.8.125
1.8.126
1.8.127
1.8.128
1.8.129
1.8.13
1.8.130
1.8.131
1.8.132
1.8.133
1.8.134
1.8.135
1.8.136
1.8.137
1.8.138
1.8.139
1.8.14
1.8.140
1.8.141
1.8.142
1.8.143
1.8.144
1.8.145
1.8.146
1.8.147
1.8.148
1.8.149
1.8.15
1.8.150
1.8.151
1.8.152
1.8.153
1.8.154
1.8.155
1.8.156
1.8.157
1.8.158
1.8.159
1.8.16
1.8.160
1.8.161
1.8.162
1.8.163
1.8.164
1.8.165
1.8.166
1.8.167
1.8.168
1.8.169
1.8.17
1.8.170
1.8.171
1.8.172
1.8.173
1.8.174
1.8.175
1.8.176
1.8.177
1.8.178
1.8.179
1.8.18
1.8.180
1.8.181
1.8.182
1.8.183
1.8.184
1.8.185
1.8.186
1.8.187
1.8.188
1.8.189
1.8.19
1.8.190
1.8.191
1.8.192
1.8.193
1.8.194
1.8.195
1.8.196
1.8.197
1.8.198
1.8.199
1.8.2
1.8.20
1.8.200
1.8.201
1.8.202
1.8.203
1.8.204
1.8.205
1.8.206
1.8.207
1.8.208
1.8.209
1.8.21
1.8.210
1.8.211
1.8.212
1.8.22
1.8.23
1.8.24
1.8.25
1.8.26
1.8.27
1.8.28
1.8.29
1.8.3
1.8.30
1.8.31
1.8.32
1.8.33
1.8.34
1.8.35
1.8.36
1.8.37
1.8.38
1.8.39
1.8.4
1.8.40
1.8.41
1.8.42
1.8.43
1.8.44
1.8.45
1.8.46
1.8.47
1.8.48
1.8.49
1.8.5
1.8.50
1.8.51
1.8.52
1.8.53
1.8.54
1.8.55
1.8.56
1.8.57
1.8.58
1.8.59
1.8.6
1.8.60
1.8.61
1.8.62
1.8.63
1.8.65
1.8.66
1.8.67
1.8.68
1.8.69
1.8.7
1.8.70
1.8.71
1.8.72
1.8.73
1.8.74
1.8.75
1.8.76
1.8.77
1.8.78
1.8.79
1.8.8
1.8.80
1.8.81
1.8.82
1.8.83
1.8.84
1.8.85
1.8.86
1.8.87
1.8.88
1.8.89
1.8.9
1.8.90
1.8.91
1.8.92
1.8.93
1.8.94
1.8.95
1.8.96
1.8.97
1.8.98
1.8.99

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40568.json"