CVE-2026-32754 FreeScout: Stored XSS via Unescaped Email Template Rendering ({!! $thread->body !!})

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting XSS through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization and rendered...

CVE-2026-32753

FreeScout (PHP Laravel) vulnerability CVE-2026-32753 affects 1.8.208 and earlier. By bypassing the attachment view logic and SVG sanitizer, an attacker can upload an SVG masquerading as a safe image (e.g., xss.png with Content-Type image/svg+xml) and cause the server to render inline SVG containi...