Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

freescout-help-desk — Vulnerabilities & Security Advisories 56

Browse all 56 CVE security advisories affecting freescout-help-desk. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Top products by freescout-help-desk:freescout
CVE IDTitleCVSSSeverityPublished
CVE-2026-41194 FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable — freescoutCWE-352 5.4 Medium2026-04-21
CVE-2026-41193 FreeScout has Zip Slip path traversal in module installation that allows arbitrary file write leading to RCE — freescoutCWE-22 9.1 Critical2026-04-21
CVE-2026-41192 FreeScout's client-controlled attachment IDs allow deletion of existing conversation attachments — freescoutCWE-862 7.1 High2026-04-21
CVE-2026-41191 FreeScout's signature only mailbox permission allows unauthorized mailbox chat setting changes — freescoutCWE-863 7.1 High2026-04-21
CVE-2026-41190 FreeScout has assigned-only visibility bypass via save_draft that allows hidden conversation draft injection — freescoutCWE-863 7.1 High2026-04-21
CVE-2026-41189 FreeScout has assigned-only visibility bypass that allows editing hidden customer-authored threads — freescoutCWE-863 7.1 High2026-04-21
CVE-2026-41183 FreeScout allows non-folder conversation queries to disclose assigned-only hidden conversations — freescoutCWE-200 4.3 Medium2026-04-21
CVE-2026-40592 FreeScout's cross-user undo reply allows mailbox peers to recall another agent's outbound reply — freescoutCWE-862 5.9 Medium2026-04-21
CVE-2026-40591 FreeScout: Improper Authorization in Phone Conversation Creation Enables Cross-Mailbox Hidden Customer Modification — freescoutCWE-639 7.1 High2026-04-21
CVE-2026-40590 FreeScout's Customer AJAX Create Modifies Hidden Existing Customer — freescoutCWE-639 4.3 Medium2026-04-21
CVE-2026-40589 FreeScout has Customer Edit Cross-Mailbox Email Takeover — freescoutCWE-639 7.6 High2026-04-21
CVE-2026-40570 FreeScout's Missing Authorization in load_customer_info Allows Any Authenticated User to Access Full Customer PII — freescoutCWE-639 4.3AIMediumAI2026-04-21
CVE-2026-40569 FreeScout's Mass Assignment in Mailbox Connection Settings Enables Silent Email Exfiltration — freescoutCWE-284 9.0 Critical2026-04-21
CVE-2026-40568 FreeScout Vulnerable to XSS via Mailbox Signature Due to Incomplete HTML Sanitization — freescoutCWE-79 8.5 High2026-04-21
CVE-2026-40567 FreeScout has HTML Injection in Outgoing Emails via Unsanitized Customer Name in Signature Variables — freescoutCWE-116 5.8 Medium2026-04-21
CVE-2026-40566 FreeScout vulnerable to SSRF via IMAP/SMTP Connection Test Endpoints — freescoutCWE-918 4.1 Medium2026-04-21
CVE-2026-40565 FreeScout has Stored XSS / CSS Injection via linkify() — Unescaped URL in Anchor href — freescoutCWE-79 6.1 Medium2026-04-21
CVE-2026-40498 FreeScout has Authentication Bypass and Information Disclosure in SystemController via /system/cron — freescoutCWE-200 9.1AICriticalAI2026-04-21
CVE-2026-40497 FreeScout Vulnerable to CSS Injection via Stored Style Tag in Mailbox Signature (CSRF Token Exfiltration) — freescoutCWE-79 8.1 High2026-04-21
CVE-2026-40496 FreeScout has Predictable Attachment Token that Allows Unauthenticated Private File Download via Brute Force — freescoutCWE-330 8.2AIHighAI2026-04-21
CVE-2026-35584 FreeScout has an Unauthenticated IDOR in Open Tracking Endpoint Allows Cross-Conversation Thread Manipulation and Enumeration — freescoutCWE-306 8.2AIHighAI2026-04-07
CVE-2026-39384 FreeScout Customer Merge Cross-Mailbox Authorization Bypass — freescoutCWE-639 7.6 High2026-04-07
CVE-2026-34442 FreeScout: Host Header Injection Leading to External Resource Loading and Open Redirect in FreeScout — freescoutCWE-20 5.4 Medium2026-03-31
CVE-2026-34443 FreeScout: SSRF protection bypass via broken CIDR check in checkIpByMask() — freescoutCWE-918 7.5 -2026-03-31
CVE-2026-32754 FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!}) — freescoutCWE-79 9.3 Critical2026-03-19
CVE-2026-32753 FreeScout: Stored XSS through SVG file upload with filter bypass — freescoutCWE-80 6.1 -2026-03-19
CVE-2026-32752 FreeScout: Broken Access Control in ThreadPolicy — Any User Can Read/Edit All Customer Messages — freescoutCWE-284--2026-03-19
CVE-2026-28289 FreeScout 1.8.206 Patch Bypass for CVE-2026-27636 via Zero-Width Space Character Leads to Remote Code Execution — freescoutCWE-434 10.0 Critical2026-03-03
CVE-2026-27636 FreeScout: Missing .htaccess in Restricted File Extensions Allows Remote Code Execution on Apache — freescoutCWE-434 8.8 High2026-02-25
CVE-2026-27637 FreeScout's Predictable Authentication Token Enables Account Takeover — freescoutCWE-330 9.8 Critical2026-02-25

This page lists every published CVE security advisory associated with freescout-help-desk. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.