VYPR
Medium severity4.3NVD Advisory· Published May 29, 2026· Updated Jun 1, 2026

CVE-2026-48811

CVE-2026-48811

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Freescout/Freescoutinferred2 versions
    <1.8.221+ 1 more
    • (no CPE)range: <1.8.221
    • (no CPE)range: <1.8.221

Patches

Vulnerability mechanics

References

1

News mentions

1