Vulnerability Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an email with a crafted From display name. The name is stored in the database without sanitization and rendered unescaped into outgoing reply emails via the `{%customer.fullName%}` signature variable. This allows embedding phishing links, tracking pixels, and spoofed content inside legitimate support emails sent from the organization's address. Version 1.8.213 fixes the issue.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/freescout-help-desk/freescout/commit/9131b16f80eade81002cb980
- https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v
- https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v
FAQ
What is CVE-2026-40567?
CVE-2026-40567 is a vulnerability with a CVSS score of 5.8 (MEDIUM). FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, an unauthenticated attacker can inject arbitrary HTML into outgoing emails generated by FreeScout by sending an ...
How severe is CVE-2026-40567?
CVE-2026-40567 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40567?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.