Medium severity6.1NVD Advisory· Published Apr 21, 2026· Updated Apr 22, 2026

CVE-2026-40565

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (") in the URL. HTMLPurifier (called first via getCleanBody()) preserves literal " characters in text nodes. linkify() then wraps URLs including those " chars inside an unescaped href="..." attribute, breaking out of the href and injecting arbitrary HTML attributes. Version 1.8.213 fixes the issue.

Affected products

Freescout/Freescout
cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Range: <1.8.213

Patches

265379b3ae34

Escape values in Helper::linkify()

https://github.com/freescout-help-desk/freescoutFreeScoutApr 9, 2026via nvd-ref

commit

1 file changed · +9 −3

app/Misc/Helper.php+9 −3 modified

@@ -1546,17 +1546,23 @@ public static function linkify($value, $protocols = ['http', 'mail'], array $att
                         $link = $match[2];
                         $link = substr($link, strlen($match[3]));
                         //return '<' . array_push($links, "<a $attr href=\"$protocol://$link\">$protocol://$link</a>") . '>';
-                        return $match[1].'<' . array_push($links, "<a $attr href=\"$protocol://$link\">".$match[2]."</a>") . '>';
+                        $href = htmlspecialchars($protocol.'://'.$link, ENT_QUOTES, 'UTF-8');
+                        $link_text = htmlspecialchars($match[2], ENT_QUOTES, 'UTF-8');
+                        return $match[1].'<' . array_push($links, "<a $attr href=\"".$href."\">".$link_text."</a>") . '>';
                     }, $value) ?: $value;
                     break;
                 case 'mail':
                     $value = preg_replace_callback('~([^\s<>]+?@[^\s<]+?\.[^\s<]+)(?<![\.,:\)])~', function ($match) use (&$links, $attr) {
-                        return '<' . array_push($links, "<a $attr href=\"mailto:{$match[1]}\">{$match[1]}</a>") . '>';
+                        $href = htmlspecialchars($match[1], ENT_QUOTES, 'UTF-8');
+                        $link_text = htmlspecialchars($match[1], ENT_QUOTES, 'UTF-8');
+                        return '<' . array_push($links, "<a $attr href=\"mailto:{$href}\">{$link_text}</a>") . '>';
                     }, $value) ?: $value;
                     break;
                 default:
                     $value = preg_replace_callback('~' . preg_quote($protocol, '~') . '://([^\s<]+?)(?<![\.,:])~i', function ($match) use ($protocol, &$links, $attr) {
-                        return '<' . array_push($links, "<a $attr href=\"$protocol://{$match[1]}\">$protocol://{$match[1]}</a>") . '>';
+                        $href = htmlspecialchars("$protocol://{$match[1]}", ENT_QUOTES, 'UTF-8');
+                        $link_text = htmlspecialchars("$protocol://{$match[1]}", ENT_QUOTES, 'UTF-8');
+                        return '<' . array_push($links, "<a $attr href=\"{$href}\">{$link_text}</a>") . '>';
                     }, $value) ?: $value;
                     break;
             }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/freescout-help-desk/freescout/commit/265379b3ae343f06846adc0aa8510643d1eac2dfnvdPatch
github.com/freescout-help-desk/freescout/security/advisories/GHSA-49pm-xwqj-vwjpnvdVendor Advisory
github.com/freescout-help-desk/freescout/releases/tag/1.8.213nvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.397
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000