High severity8.1NVD Advisory· Published Apr 21, 2026· Updated Apr 23, 2026

CVE-2026-40497

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's Helper::stripDangerousTags() removes <script>, <form>, <iframe>, <object> but does NOT strip <style> tags. The mailbox signature field is saved via POST /mailbox/settings/{id} and later rendered unescaped via {!! $conversation->getSignatureProcessed([], true) !!} in conversation views. CSP allows style-src * 'self' 'unsafe-inline', so injected inline styles execute freely. An attacker with access to mailbox settings (admin or agent with mailbox permission) can inject CSS attribute selectors to exfiltrate the CSRF token of any agent/admin who views a conversation in that mailbox. With the CSRF token, the attacker can perform any state-changing action as the victim (create admin accounts, change email/password, etc.) — privilege escalation from agent to admin. This is the result of an incomplete fix of GHSA-jqjf-f566-485j. That advisory reported XSS via mailbox signature. The fix applied Helper::stripDangerousTags() to the signature before saving. However, stripDangerousTags() only removes script, form, iframe, and object tags — it does NOT strip <style> tags, leaving CSS injection possible. Version 1.8.213 contains an updated fix.

Affected products

Freescout/Freescout
cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Range: <1.8.213

Patches

5aa8d633216f

Strip also style tags in Helper::stripDangerousTags()

https://github.com/freescout-help-desk/freescoutFreeScoutApr 6, 2026via nvd-ref

commit

1 file changed · +5 −1

app/Misc/Helper.php+5 −1 modified

@@ -570,7 +570,11 @@ public static function stripDangerousTags($html, $allowed_tags = [])
         // <script src="/storage/attachment/8/1/1/test.js?id=7&token=c4786c4497db3c6254a0c310623a43c3">
         // <iframe src="/storage/attachment/8/1/1/1.html?id=95&token=3dced8dc80305031b358119f3d156204"></iframe>
         // <object data="/storage/attachment/8/1/1/1.html?id=95&token=3dced8dc80305031b358119f3d156204" type="text/html"></object>
-        $tags = ['script', 'form', 'iframe', 'object'];
+        $tags = [
+            'script', 'form', 'iframe', 'object',
+            // https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fh99-wr77-pxq3
+            'style',
+        ];
         $attrs = 'src|data';
 
         $tags = array_diff($tags, $allowed_tags);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/freescout-help-desk/freescout/commit/5aa8d633216f65995e80a7d4a921b784acc94df4nvdPatch
github.com/freescout-help-desk/freescout/security/advisories/GHSA-fh99-wr77-pxq3nvdVendor Advisory
github.com/freescout-help-desk/freescout/releases/tag/1.8.213nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000