CVE-2026-32753 is a cross-site scripting vulnerability classified under CWE-80 affecting FreeScout, a PHP Laravel-based help desk and shared inbox application. The flaw exists in versions 1.8.208 and earlier due to improper neutralization of script-related HTML tags within SVG files uploaded as attachments. FreeScout restricts inline rendering of uploaded files based on file extension and declared Content-Type headers, allowing only 'safe' files like .png images to be rendered inline, while others are served as attachments. However, the vulnerability arises because an attacker can upload an SVG file containing malicious JavaScript with a filename using an allowed extension (e.g., .png) and a Content-Type of image/svg+xml. This combination bypasses the extension and content-type checks, causing the server to treat the file as a safe image and render it inline. Additionally, the SVG sanitizer's fallback mechanism on invalid XML is insufficient, allowing script execution. Any authenticated user can exploit this by uploading such a crafted file and setting up a URL that, when visited by other users or administrators, triggers the embedded JavaScript. This script can perform actions on behalf of the victim, potentially leading to session hijacking, privilege escalation, or unauthorized operations within the application. The vulnerability does not require elevated privileges beyond authentication and does not need victim interaction beyond viewing the malicious content. The issue was addressed and fixed in FreeScout version 1.8.209 by improving file validation and sanitization processes.

This vulnerability poses a significant risk to organizations using affected FreeScout versions, as it enables authenticated attackers to execute arbitrary JavaScript in the context of other users, including administrators. The impact includes potential session hijacking, unauthorized actions such as modifying tickets or user data, privilege escalation, and data leakage. Since FreeScout is used for help desk and shared inbox management, compromise could lead to exposure of sensitive customer information and disruption of support operations. The ease of exploitation—requiring only authentication and no special privileges—means insider threats or compromised accounts can leverage this flaw. The vulnerability could also be chained with other attacks to gain broader access or persistence. Although no known exploits are reported in the wild yet, the high CVSS score (8.5) and the nature of the flaw make it a critical risk that could affect confidentiality, integrity, and availability of organizational support systems.

Organizations should immediately upgrade FreeScout to version 1.8.209 or later, where the vulnerability is fixed. Until upgrading, administrators should restrict file upload permissions to trusted users only and disable inline rendering of image files with ambiguous or potentially unsafe content types. Implement additional server-side validation to verify that file content matches the declared extension and MIME type, especially for SVG files. Employ strict Content Security Policy (CSP) headers to limit script execution and reduce XSS impact. Regularly audit and monitor uploaded files for suspicious content and review user permissions to minimize the risk of malicious uploads. Educate users about the risks of uploading files and enforce multi-factor authentication to reduce the risk of account compromise. Finally, conduct penetration testing focused on file upload and rendering functionalities to detect similar weaknesses.