CVE-2026-32753 is a cross-site scripting (XSS) vulnerability classified under CWE-80, affecting FreeScout, a PHP Laravel-based help desk and shared inbox application. In versions 1.8.208 and earlier, the application’s logic for handling uploaded attachments and sanitizing SVG files is flawed. FreeScout restricts inline rendering of uploaded files based on file extension and declared Content-Type headers, allowing only files deemed 'safe' to be displayed inline in browsers. However, an attacker can upload an SVG file containing malicious JavaScript by naming it with an allowed extension such as .png and setting the Content-Type to image/svg+xml. This bypasses the extension and content-type checks, causing the server to treat the file as a safe image and render it inline. The SVG content can include script elements that execute when the file is viewed, leading to XSS. The fallback mechanism on invalid XML further weakens the SVG sanitizer, increasing the attack surface. Exploitation requires an authenticated user to upload the malicious file and create a URL that, when visited by other users or administrators, triggers the script execution. This can lead to session hijacking, unauthorized actions, or data theft. The vulnerability was addressed in FreeScout version 1.8.209 by improving file validation and sanitization processes.

This vulnerability poses a significant risk to organizations using FreeScout versions prior to 1.8.209. Successful exploitation allows attackers with valid user credentials to execute arbitrary JavaScript in the context of other users, including administrators. This can lead to session hijacking, unauthorized access to sensitive information, manipulation of help desk tickets, and potential lateral movement within the organization’s infrastructure. The integrity and confidentiality of user data and communications are at risk, as attackers can perform actions on behalf of victims without their knowledge. Since FreeScout is often used in customer support and internal communication, exploitation could disrupt business operations and damage trust. The vulnerability’s ease of exploitation—requiring only authenticated access and no user interaction beyond visiting a crafted URL—amplifies its threat. Although no known exploits are reported in the wild yet, the high CVSS score (8.5) reflects the critical nature of this flaw.

Organizations should immediately upgrade FreeScout to version 1.8.209 or later, where this vulnerability is fixed. Beyond patching, implement strict server-side validation of uploaded files, ensuring that file extensions and MIME types are consistent and that SVG files are either disallowed or sanitized using robust, well-maintained libraries. Disable inline rendering of user-uploaded SVG files unless absolutely necessary and consider converting SVGs to safer formats before display. Employ Content Security Policy (CSP) headers to restrict script execution and reduce XSS impact. Monitor logs for suspicious file uploads and access patterns. Limit upload permissions to trusted users and enforce multi-factor authentication to reduce the risk of compromised accounts being used to exploit this vulnerability. Regularly audit and test file upload functionalities for similar weaknesses.