CVE-2026-32754 is a stored Cross-Site Scripting (XSS) vulnerability affecting FreeScout, an open-source help desk and shared inbox application built on PHP's Laravel framework. Versions 1.8.208 and earlier are vulnerable due to the way FreeScout processes incoming email bodies. These email bodies are stored directly in the database without any sanitization or escaping. When FreeScout generates outgoing email notifications, it uses Laravel Blade's raw output syntax {!! $thread->body !!} to render the email content, which outputs the stored HTML unescaped. This flaw allows an unauthenticated attacker to send a maliciously crafted email containing HTML and JavaScript payloads. When any subscribed agent or admin opens the notification email as part of their normal workflow, the malicious code executes in their email client. This can lead to universal HTML injection, enabling phishing attacks and user tracking. In email clients that support JavaScript execution, the attacker can perform session hijacking, steal credentials, and potentially take over accounts. The vulnerability affects all recipients of the notification emails simultaneously, amplifying its impact. The issue was publicly disclosed and fixed in FreeScout version 1.8.209. The CVSS v3.1 score of 9.3 indicates a critical severity, with network attack vector, no privileges required, low attack complexity, and user interaction required (opening the email). The vulnerability also has a scope change, affecting confidentiality and integrity severely but not availability. No known exploits in the wild have been reported yet.

The impact of CVE-2026-32754 is significant for organizations using vulnerable versions of FreeScout as their help desk or shared inbox solution. Because the vulnerability allows unauthenticated attackers to inject malicious HTML and JavaScript into email notifications, it can lead to widespread phishing campaigns targeting internal support agents and administrators. Successful exploitation can result in session hijacking, credential theft, and full account takeover, compromising the confidentiality and integrity of sensitive support communications and potentially the entire help desk system. This can lead to unauthorized access to customer data, internal communications, and escalation of privileges within the organization. The universal nature of the injection means all recipients of the notification emails are at risk simultaneously, increasing the attack surface and potential damage. Additionally, attackers can use this vector to implant tracking mechanisms or launch further social engineering attacks. The vulnerability does not directly impact system availability but can indirectly cause operational disruptions due to compromised accounts and loss of trust in the help desk system.

1. Immediate upgrade to FreeScout version 1.8.209 or later, where the vulnerability is patched. 2. Implement input sanitization and output encoding for all user-supplied content, especially email bodies, to prevent raw HTML/JavaScript injection. 3. Configure email clients used by agents and admins to disable automatic HTML rendering or JavaScript execution where possible, reducing the risk of client-side exploitation. 4. Employ Content Security Policy (CSP) headers or email client security features that restrict script execution in emails. 5. Monitor incoming emails for suspicious content or unusual patterns that may indicate exploitation attempts. 6. Educate support staff about the risks of opening unexpected or suspicious emails, even from known sources. 7. Consider deploying web application firewalls (WAFs) with custom rules to detect and block malicious payloads targeting FreeScout email notifications. 8. Regularly audit and review FreeScout configurations and logs for signs of exploitation or anomalous activity. 9. Isolate the help desk system network segment to limit lateral movement if compromise occurs. 10. Backup FreeScout data regularly to enable recovery in case of compromise.