CVE-2026-40497 is a high-severity cross-site scripting vulnerability in FreeScout help desk software versions before 1.8.213. The vulnerability stems from the Helper::stripDangerousTags() function, which removes script, form, iframe, and object tags but fails to strip <style> tags from the mailbox signature field. Because the mailbox signature is saved and later rendered unescaped in conversation views, and the Content Security Policy allows unsafe inline styles, an attacker with mailbox settings access can inject CSS attribute selectors that exfiltrate CSRF tokens from other users viewing the mailbox. With these tokens, the attacker can perform privileged actions, including creating admin accounts or changing credentials, effectively escalating privileges from agent to admin. The issue is a result of an incomplete fix for a prior XSS vulnerability (GHSA-jqjf-f566-485j). The vulnerability is fixed in FreeScout version 1.8.213.

An attacker with agent-level mailbox settings permissions can exploit this vulnerability to inject malicious CSS that steals CSRF tokens from administrators or other agents viewing mailbox conversations. This enables the attacker to perform unauthorized state-changing actions with elevated privileges, such as creating admin accounts or modifying credentials, leading to privilege escalation. The vulnerability does not impact availability but has high confidentiality and integrity impacts.

Upgrade FreeScout to version 1.8.213 or later, which contains the updated fix that properly addresses the incomplete sanitization of the mailbox signature field. Until upgraded, restrict mailbox settings access to trusted users only, as exploitation requires such permissions. Patch status is not explicitly stated in the advisory fields, but the description confirms version 1.8.213 contains the fix.