Medium severity4.3NVD Advisory· Published May 29, 2026· Updated Jun 1, 2026
CVE-2026-48811
CVE-2026-48811
Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.221, FreeScout allows a non-admin user to permanently delete an internal note (private thread) from any conversation, even after that user's access to the mailbox containing the conversation has been revoked. The ThreadPolicy::delete authorization policy does not verify mailbox membership, so a former team member retains destructive write access to notes they created. This vulnerability is fixed in 1.8.221.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
1News mentions
1- FreeScout: Four Medium-to-High Severity Flaws Disclosed in a Single BatchVypr Intelligence · May 29, 2026