CVE-2026-41190
FreeScout (self-hosted help desk) is affected pre-1.8.215. When APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS is enabled, the UI correctly blocks users who are neither the assignee nor the creator in direct conversation view, but the save_draft AJAX path is weaker. A crafted direct POST can create a draft...