CVE-2026-40567 Overview
FreeScout is a free self-hosted help desk and shared mailbox application. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and rendered unescaped into outgoing reply emails via the {%customer.fullName%} signature variable. This allows embedding phishing links, tracking pixels, and spoofed content inside legitimate support emails sent from the organization's address.
Critical Impact
Attackers can inject malicious HTML content into legitimate organizational emails, enabling sophisticated phishing attacks and email spoofing that appear to originate from trusted support addresses.
Affected Products
- FreeScout versions prior to 1.8.213
Discovery Timeline
- 2026-04-21 - CVE CVE-2026-40567 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-40567
Vulnerability Analysis
This vulnerability is classified as CWE-116 (Improper Encoding or Escaping of Output), which occurs when the application fails to properly encode or escape special characters before including user-controlled data in output. In this case, FreeScout accepts email sender display names from incoming emails and stores them directly in the database without sanitization.
When support agents reply to customers, the application uses signature templates that include the {%customer.fullName%} variable. This variable renders the stored customer name directly into outgoing HTML emails without proper escaping, allowing any HTML tags embedded in the original sender's display name to be interpreted as active content in the recipient's email client.
The network-accessible nature of this vulnerability means any external party can send an email to the help desk system with a malicious display name. No authentication or prior access is required, and the impact extends beyond the immediate system since the malicious content propagates to third parties who receive legitimate-looking emails from the organization's support address.
Root Cause
The root cause stems from insufficient output encoding in the email template rendering engine. When the {%customer.fullName%} variable is processed, the application fails to apply HTML entity encoding or escape sequences before inserting the customer name into the email body. This missing sanitization step allows raw HTML content to pass through unmodified, creating an injection point that persists across multiple email interactions.
Attack Vector
An attacker exploits this vulnerability by sending an email to a FreeScout-monitored inbox with a specially crafted From header containing HTML markup in the display name field. For example, an attacker might set their email display name to include anchor tags pointing to phishing sites, invisible tracking pixels via <img> tags, or styled elements that mimic official organization branding.
When a support agent responds to this email, the malicious HTML is automatically embedded into the outgoing reply and any subsequent communications that reference the customer's name. Recipients of these emails see content that appears to originate from the legitimate organization but contains attacker-controlled elements that can redirect them to malicious sites or track their email activity.
Detection Methods for CVE-2026-40567
Indicators of Compromise
- Inbound emails containing HTML tags within the From display name field
- Customer records in the database containing HTML markup like <a>, <img>, <script>, or <style> tags
- Outgoing emails with unexpected HTML content or external resource references not present in official templates
Detection Strategies
- Implement email gateway rules to flag incoming messages with HTML special characters in sender display names
- Audit the FreeScout customer database for entries containing HTML tags or URL references in name fields
- Review outgoing email logs for embedded content that deviates from approved signature templates
Monitoring Recommendations
- Monitor outgoing email queues for messages containing suspicious HTML patterns or external tracking pixel URLs
- Set up alerts for new customer records created with display names exceeding normal length or containing special characters
- Track click-through rates on links in support emails to identify potential phishing redirections
How to Mitigate CVE-2026-40567
Immediate Actions Required
- Upgrade FreeScout to version 1.8.213 or later immediately
- Audit existing customer records in the database for potentially malicious HTML content in name fields
- Review recent outgoing emails for signs of injected content that may have already been sent to customers
Patch Information
Version 1.8.213 addresses this vulnerability by implementing proper output encoding for customer data rendered in email templates. The fix ensures that HTML special characters in customer names are escaped before being included in outgoing emails, preventing injection attacks.
For detailed patch information, see the GitHub Security Advisory GHSA-q8v4-v62h-5528 and the GitHub Commit Update.
Workarounds
- Manually sanitize customer name fields in the database by removing or encoding HTML characters
- Temporarily remove the {%customer.fullName%} variable from email signature templates until the patch can be applied
- Implement an email gateway filter to strip HTML from incoming sender display names before they reach FreeScout
# Database query to identify potentially malicious customer names
# Run this against your FreeScout database to audit for HTML injection
SELECT id, first_name, last_name, email
FROM customers
WHERE first_name LIKE '%<%'
OR first_name LIKE '%>%'
OR last_name LIKE '%<%'
OR last_name LIKE '%>%';
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
