Lucene search
K

683 matches found

NVD
NVD
added 2026/04/21 5:16 p.m.7 views

CVE-2026-40570

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, the loadcustomerinfo action in POST /conversation/ajax returns complete customer profile data to any authenticated user without verifying mailbox access. An attacker only needs a valid email address to retriev...

7.1CVSS0.00249EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/21 5:16 p.m.2 views

CVE-2026-41194 FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/id/inout/provider. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF...

5.4CVSS5.6AI score0.0012EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/21 5:16 p.m.34 views

CVE-2026-41194 FreeScout's Mailbox OAuth disconnect uses a state-changing GET and is CSRFable

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/id/inout/provider. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF...

5.4CVSS0.0012EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/21 5:16 p.m.7 views

EUVD-2026-24225

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the mailbox OAuth disconnect action is implemented as GET /mailbox/oauth-disconnect/id/inout/provider. It removes stored OAuth metadata from the mailbox and then redirects. Because it is a GET route, no CSRF...

5.4CVSS5.6AI score0.0012EPSS
Exploits0References3
CVE
CVE
added 2026/04/21 5:16 p.m.15 views

CVE-2026-41194

FreeScout before 1.8.215 exposes a GET /mailbox/oauth-disconnect/{id}/{in_out}/{provider} action that removes stored OAuth metadata without CSRF protection, enabling cross-site triggering against a logged-in mailbox admin. Root cause: GET route lacks CSRF token validation. Impact: potential unaut...

5.4CVSS5.6AI score0.0012EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/21 5:15 p.m.3 views

CVE-2026-41193 FreeScout has Zip Slip path traversal in module installation that allows arbitrary file write leading to RCE

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating file paths, allowing an authenticated admin to write files arbitrarily on the server filesystem via a specially crafted ZIP...

9.1CVSS5.8AI score0.00392EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/21 5:15 p.m.32 views

CVE-2026-41193 FreeScout has Zip Slip path traversal in module installation that allows arbitrary file write leading to RCE

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating file paths, allowing an authenticated admin to write files arbitrarily on the server filesystem via a specially crafted ZIP...

9.1CVSS0.00392EPSS
Exploits0References3
CVE
CVE
added 2026/04/21 5:15 p.m.16 views

CVE-2026-41193

CVE-2026-41193 — FreeScout Zip Slip path traversal . Affected: FreeScout prior to v1.8.215.Issue: The module installation feature extracts ZIP archives without validating file paths, enabling an authenticated admin to write arbitrary files on the server filesystem via a crafted ZIP.Impact (as sta...

9.1CVSS5.8AI score0.00392EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/21 5:12 p.m.6 views

CVE-2026-41192 FreeScout's client-controlled attachment IDs allow deletion of existing conversation attachments

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in attachmentsall but omitted from retained lists are decrypted and passed directly to Attachment::deleteByIds. Because...

7.1CVSS5.8AI score0.00238EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/21 5:12 p.m.37 views

CVE-2026-41192 FreeScout's client-controlled attachment IDs allow deletion of existing conversation attachments

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in attachmentsall but omitted from retained lists are decrypted and passed directly to Attachment::deleteByIds. Because...

7.1CVSS0.00238EPSS
Exploits0References3
CVE
CVE
added 2026/04/21 5:12 p.m.25 views

CVE-2026-41192

Summary: FreeScout before version 1.8.215 is vulnerable. The bug arises in the reply/draft flows that trust client-supplied encrypted attachment IDs. When an attachment ID that appears in attachments_all[] but is not in the retained lists is decrypted and passed to Attachment::deleteByIds(), a ma...

7.1CVSS5.8AI score0.00238EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/21 5:12 p.m.8 views

EUVD-2026-24221

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in attachmentsall but omitted from retained lists are decrypted and passed directly to Attachment::deleteByIds. Because...

7.1CVSS5.8AI score0.00238EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/04/21 5:9 p.m.35 views

CVE-2026-41191 FreeScout's signature only mailbox permission allows unauthorized mailbox chat setting changes

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, MailboxesController::updateSave persists chatstartnew outside the allowed-field filter. A user with only the mailbox sig permission sees only the signature field in the UI, but can still change the hidden...

7.1CVSS0.00211EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/21 5:9 p.m.3 views

CVE-2026-41191 FreeScout's signature only mailbox permission allows unauthorized mailbox chat setting changes

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, MailboxesController::updateSave persists chatstartnew outside the allowed-field filter. A user with only the mailbox sig permission sees only the signature field in the UI, but can still change the hidden...

7.1CVSS5.8AI score0.00211EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/21 5:9 p.m.7 views

EUVD-2026-24197

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, MailboxesController::updateSave persists chatstartnew outside the allowed-field filter. A user with only the mailbox sig permission sees only the signature field in the UI, but can still change the hidden...

7.1CVSS5.8AI score0.00211EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/04/21 5:9 p.m.3 views

CVE-2026-41191

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, MailboxesController::updateSave persists chatstartnew outside the allowed-field filter. A user with only the mailbox sig permission sees only the signature field in the UI, but can still change the hidden...

7.1CVSS5.8AI score0.00211EPSS
Exploits0References4Affected Software1
CVE
CVE
added 2026/04/21 5:9 p.m.14 views

CVE-2026-41191

FreeScout vulnerability detail: before 1.8.215, MailboxesController::updateSave() persists chat_start_new outside the allowed-field filter. A user with only the mailbox sig permission can alter the hidden mailbox-wide chat setting via direct POST, despite UI restricting to the signature field. Ve...

7.1CVSS5.8AI score0.00211EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/04/21 5:6 p.m.5 views

CVE-2026-41190 FreeScout has assigned-only visibility bypass via save_draft that allows hidden conversation draft injection

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when APPSHOWONLYASSIGNEDCONVERSATIONS is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. The savedraft AJAX path is weaker. A direct POST can create a dra...

7.1CVSS5.8AI score0.00211EPSS
Exploits0References3
EUVD
EUVD
added 2026/04/21 5:6 p.m.5 views

EUVD-2026-24195

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when APPSHOWONLYASSIGNEDCONVERSATIONS is enabled, direct conversation view correctly blocks users who are neither the assignee nor the creator. The savedraft AJAX path is weaker. A direct POST can create a dra...

7.1CVSS5.8AI score0.00211EPSS
Exploits0References3
CVE
CVE
added 2026/04/21 5:6 p.m.13 views

CVE-2026-41190

FreeScout (self-hosted help desk) is affected pre-1.8.215. When APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS is enabled, the UI correctly blocks users who are neither the assignee nor the creator in direct conversation view, but the save_draft AJAX path is weaker. A crafted direct POST can create a draft...

7.1CVSS5.8AI score0.00211EPSS
Exploits0References3
Rows per page
Query Builder