Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-40567

CVE-2026-40567: FreeScout Email XSS Vulnerability

CVE-2026-40567 is an XSS flaw in FreeScout that lets unauthenticated attackers inject malicious HTML into outgoing emails via crafted From names. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-40567 Overview

FreeScout is a free self-hosted help desk and shared mailbox application. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and rendered unescaped into outgoing reply emails via the {%customer.fullName%} signature variable. This allows embedding phishing links, tracking pixels, and spoofed content inside legitimate support emails sent from the organization's address.

Critical Impact

Attackers can inject malicious HTML content into legitimate organizational emails, enabling sophisticated phishing attacks and email spoofing that appear to originate from trusted support addresses.

Affected Products

  • FreeScout versions prior to 1.8.213

Discovery Timeline

  • 2026-04-21 - CVE CVE-2026-40567 published to NVD
  • 2026-04-22 - Last updated in NVD database

Technical Details for CVE-2026-40567

Vulnerability Analysis

This vulnerability is classified as CWE-116 (Improper Encoding or Escaping of Output), which occurs when the application fails to properly encode or escape special characters before including user-controlled data in output. In this case, FreeScout accepts email sender display names from incoming emails and stores them directly in the database without sanitization.

When support agents reply to customers, the application uses signature templates that include the {%customer.fullName%} variable. This variable renders the stored customer name directly into outgoing HTML emails without proper escaping, allowing any HTML tags embedded in the original sender's display name to be interpreted as active content in the recipient's email client.

The network-accessible nature of this vulnerability means any external party can send an email to the help desk system with a malicious display name. No authentication or prior access is required, and the impact extends beyond the immediate system since the malicious content propagates to third parties who receive legitimate-looking emails from the organization's support address.

Root Cause

The root cause stems from insufficient output encoding in the email template rendering engine. When the {%customer.fullName%} variable is processed, the application fails to apply HTML entity encoding or escape sequences before inserting the customer name into the email body. This missing sanitization step allows raw HTML content to pass through unmodified, creating an injection point that persists across multiple email interactions.

Attack Vector

An attacker exploits this vulnerability by sending an email to a FreeScout-monitored inbox with a specially crafted From header containing HTML markup in the display name field. For example, an attacker might set their email display name to include anchor tags pointing to phishing sites, invisible tracking pixels via <img> tags, or styled elements that mimic official organization branding.

When a support agent responds to this email, the malicious HTML is automatically embedded into the outgoing reply and any subsequent communications that reference the customer's name. Recipients of these emails see content that appears to originate from the legitimate organization but contains attacker-controlled elements that can redirect them to malicious sites or track their email activity.

Detection Methods for CVE-2026-40567

Indicators of Compromise

  • Inbound emails containing HTML tags within the From display name field
  • Customer records in the database containing HTML markup like <a>, <img>, <script>, or <style> tags
  • Outgoing emails with unexpected HTML content or external resource references not present in official templates

Detection Strategies

  • Implement email gateway rules to flag incoming messages with HTML special characters in sender display names
  • Audit the FreeScout customer database for entries containing HTML tags or URL references in name fields
  • Review outgoing email logs for embedded content that deviates from approved signature templates

Monitoring Recommendations

  • Monitor outgoing email queues for messages containing suspicious HTML patterns or external tracking pixel URLs
  • Set up alerts for new customer records created with display names exceeding normal length or containing special characters
  • Track click-through rates on links in support emails to identify potential phishing redirections

How to Mitigate CVE-2026-40567

Immediate Actions Required

  • Upgrade FreeScout to version 1.8.213 or later immediately
  • Audit existing customer records in the database for potentially malicious HTML content in name fields
  • Review recent outgoing emails for signs of injected content that may have already been sent to customers

Patch Information

Version 1.8.213 addresses this vulnerability by implementing proper output encoding for customer data rendered in email templates. The fix ensures that HTML special characters in customer names are escaped before being included in outgoing emails, preventing injection attacks.

For detailed patch information, see the GitHub Security Advisory GHSA-q8v4-v62h-5528 and the GitHub Commit Update.

Workarounds

  • Manually sanitize customer name fields in the database by removing or encoding HTML characters
  • Temporarily remove the {%customer.fullName%} variable from email signature templates until the patch can be applied
  • Implement an email gateway filter to strip HTML from incoming sender display names before they reach FreeScout
bash
# Database query to identify potentially malicious customer names
# Run this against your FreeScout database to audit for HTML injection
SELECT id, first_name, last_name, email 
FROM customers 
WHERE first_name LIKE '%<%' 
   OR first_name LIKE '%>%'
   OR last_name LIKE '%<%' 
   OR last_name LIKE '%>%';

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.