{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32754", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.532Z", "datePublished": "2026-03-19T21:35:17.373Z", "dateUpdated": "2026-03-20T18:52:18.644Z"}, "containers": {"cna": {"title": "FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!})", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-116", "lang": "en", "description": "CWE-116: Improper Encoding or Escaping of Output", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-56h2-5556-r6mg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-56h2-5556-r6mg"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/3329379db38a86cf7069b0709061b95a7d38985b", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/3329379db38a86cf7069b0709061b95a7d38985b"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.209", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:35:17.373Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered unescaped in outgoing email notifications using Blade's raw output syntax {!! $thread->body !!}. An unauthenticated attacker can exploit this vulnerability by simply sending an email, and when opened by any subscribed agent or admin as part of their normal workflow, enabling universal HTML injection (phishing, tracking) and, in vulnerable email clients, JavaScript execution (session hijacking, credential theft, account takeover) affecting all recipients simultaneously. This issue has been fixed in version 1.8.209."}], "source": {"advisory": "GHSA-56h2-5556-r6mg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T18:49:32.844137Z", "id": "CVE-2026-32754", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:52:18.644Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32754", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T18:49:32.844137Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:51:57.023Z"}}], "cna": {"title": "FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!})", "source": {"advisory": "GHSA-56h2-5556-r6mg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.209"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-56h2-5556-r6mg", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-56h2-5556-r6mg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-help-desk/freescout/commit/3329379db38a86cf7069b0709061b95a7d38985b", "name": "https://github.com/freescout-help-desk/freescout/commit/3329379db38a86cf7069b0709061b95a7d38985b", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209", "name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered unescaped in outgoing email notifications using Blade's raw output syntax {!! $thread->body !!}. An unauthenticated attacker can exploit this vulnerability by simply sending an email, and when opened by any subscribed agent or admin as part of their normal workflow, enabling universal HTML injection (phishing, tracking) and, in vulnerable email clients, JavaScript execution (session hijacking, credential theft, account takeover) affecting all recipients simultaneously. This issue has been fixed in version 1.8.209."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-116", "description": "CWE-116: Improper Encoding or Escaping of Output"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:35:17.373Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32754", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:52:18.644Z", "dateReserved": "2026-03-13T18:53:03.532Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-19T21:35:17.373Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "matchCriteriaId": "FA447A4F-F76D-4D18-85E7-18B185572113", "versionEndExcluding": "1.8.209", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered unescaped in outgoing email notifications using Blade's raw output syntax {!! $thread->body !!}. An unauthenticated attacker can exploit this vulnerability by simply sending an email, and when opened by any subscribed agent or admin as part of their normal workflow, enabling universal HTML injection (phishing, tracking) and, in vulnerable email clients, JavaScript execution (session hijacking, credential theft, account takeover) affecting all recipients simultaneously. This issue has been fixed in version 1.8.209."}, {"lang": "es", "value": "FreeScout es una mesa de ayuda gratuita y una bandeja de entrada compartida construida con el framework Laravel de PHP. Las versiones 1.8.208 e inferiores son vulnerables a Cross-Site Scripting Almacenado (XSS) a trav\u00e9s de las plantillas de notificaci\u00f3n por correo electr\u00f3nico de FreeScout. Los cuerpos de los correos electr\u00f3nicos entrantes se almacenan en la base de datos sin sanitizaci\u00f3n y se renderizan sin escapar en las notificaciones de correo electr\u00f3nico salientes utilizando la sintaxis de salida sin procesar de Blade {!! $thread-&gt;body !!}. Un atacante no autenticado puede explotar esta vulnerabilidad simplemente enviando un correo electr\u00f3nico, y cuando es abierto por cualquier agente o administrador suscrito como parte de su flujo de trabajo normal, permitiendo la inyecci\u00f3n universal de HTML (phishing, seguimiento) y, en clientes de correo electr\u00f3nico vulnerables, la ejecuci\u00f3n de JavaScript (secuestro de sesi\u00f3n, robo de credenciales, toma de control de cuenta) afectando a todos los destinatarios simult\u00e1neamente. Este problema ha sido solucionado en la versi\u00f3n 1.8.209."}], "id": "CVE-2026-32754", "lastModified": "2026-03-23T19:14:38.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-19T22:16:41.997", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/freescout-help-desk/freescout/commit/3329379db38a86cf7069b0709061b95a7d38985b"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-56h2-5556-r6mg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.209)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-03-23T21:08:17.229632+00:00", "value": {"mitigation_remediation": ["Upgrade FreeScout to version 1.8.209 or newer"], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that allows insertion of arbitrary HTML and potential JavaScript execution in email notifications, risking session hijacking and credential theft"}, "threat_synthesis": {"affected_systems": "The affected product is FreeScout, a PHP\u2011based help desk and shared inbox platform developed by freescout\u2011help\u2011desk. Versions 1.8.208 and below are vulnerable; the issue is addressed in 1.8.209 and later. The flaw exists in the email template rendering path that processes incoming messages and inserts the raw body into outgoing notification emails. All agents, administrators, and any user who views the generated notification are potentially exposed to the malicious content.", "description_and_impact": "FreeScout versions 1.8.208 and earlier store incoming email bodies in the database without sanitization and later render them unescaped in outgoing email notifications using Blade\u2019s raw output syntax {!! $thread->body !!}. This creates a stored Cross\u2011Site Scripting vulnerability that allows an attacker to inject arbitrary HTML and, if executed by an email client that supports JavaScript, to run scripts that could hijack sessions or steal credentials. The weakness is identified as CWE\u2011116 and CWE\u201179.", "risk_and_exploitability": "The CVSS score of 9.3 classifies this flaw as critical. Although the EPSS score is below 1%, indicating a low current exploitation likelihood, the vulnerability is not listed in the CISA KEV catalog. An attacker does not require authentication to exploit the flaw\u2014they can send a malicious email that is stored unchanged, and when any subscribed user opens the resulting notification email, the embedded content is rendered. This simplicity and lack of prerequisite make the attack straightforward in a typical deployment. Administrators should prioritize applying the fix to remove the risk entirely."}}}}, "created": "2026-03-20T08:55:32.763949+00:00", "updated": "2026-03-25T11:54:41.832542+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}