FreeScout is an open-source help desk and shared inbox application built on PHP's Laravel framework. Versions 1.8.208 and earlier contain a stored cross-site scripting (XSS) vulnerability (CVE-2026-32754) due to improper input neutralization in email notification templates. Specifically, incoming email bodies are stored directly in the database without sanitization and later rendered in outgoing email notifications using Laravel Blade's raw output syntax {!! $thread->body !!}, which does not escape HTML or JavaScript content. This allows an unauthenticated attacker to send a specially crafted email containing malicious HTML or JavaScript payloads. When a subscribed agent or admin opens the notification email, the malicious code executes in their context. This can lead to universal HTML injection, enabling phishing attacks, tracking, and in vulnerable email clients, JavaScript execution that can result in session hijacking, credential theft, and full account takeover. The vulnerability affects all recipients of the notification simultaneously, amplifying its impact. The vulnerability has a CVSS v3.1 base score of 9.3, reflecting its critical nature, with an attack vector of network, no privileges required, low attack complexity, user interaction required, and scope changed. No known exploits are currently reported in the wild. The issue was addressed and fixed in FreeScout version 1.8.209 by properly sanitizing and escaping email body content before rendering.

This vulnerability poses a severe risk to organizations using FreeScout versions prior to 1.8.209. An attacker can remotely exploit the flaw without authentication by sending a malicious email, which when viewed by help desk agents or administrators, can execute arbitrary HTML or JavaScript code. This can lead to widespread phishing attacks, unauthorized tracking, and in vulnerable email clients, execution of scripts that compromise session tokens, steal credentials, and enable account takeover. The compromise of help desk accounts can lead to further lateral movement within an organization, exposure of sensitive customer data, and disruption of support operations. Since the vulnerability affects all recipients of the notification, the scale of impact can be extensive within affected organizations. The critical CVSS score underscores the high potential for confidentiality and integrity breaches, although availability impact is minimal. Organizations relying on FreeScout for customer support and internal ticketing are at significant risk until patched.

Organizations should immediately upgrade FreeScout to version 1.8.209 or later, where this vulnerability is fixed. Until the update can be applied, administrators should implement strict email filtering to block suspicious or unexpected emails to the FreeScout system to reduce the risk of malicious payload delivery. Additionally, configuring FreeScout or its underlying Laravel framework to sanitize and escape all user-generated content before rendering can mitigate exploitation. Monitoring email notification templates and logs for unusual or unexpected HTML content can help detect attempted exploitation. Educating help desk agents and administrators to be cautious when opening email notifications and to report suspicious emails is also recommended. Employing web application firewalls (WAFs) with rules to detect and block XSS payloads targeting FreeScout endpoints can provide an additional layer of defense. Finally, organizations should review and harden their email client security settings to limit JavaScript execution in emails.