CVE-2026-32753
Received Received - Intake
Stored XSS via SVG Upload Bypass in FreeScout

Publication date: 2026-03-19

Last updated on: 2026-03-23

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of image/svg+xml is allowed, and a fallback mechanism on invalid XML leads to unsafe sanitization. The application restricts which uploaded files are rendered inline: only files considered "safe" are displayed in the browser; others are served with Content-Disposition: attachment. This decision is based on two checks: the file extension (e.g. .png is allowed, while .svg may not be) and the declared Content-Type (e.g. image/* is allowed). By using a filename with an allowed extension (e.g. xss.png) and a Content-Type of image/svg+xml, an attacker can satisfy both checks and cause the server to treat the upload as a safe image and render it inline, even though the body is SVG and can contain scripted behavior. Any authenticated user can set up a specific URL, and whenever another user or administrator visits it, XSS can perform any action on their behalf. This issue has been fixed in version 1.8.209.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-19
Last Modified
2026-03-23
Generated
2026-05-07
AI Q&A
2026-03-20
EPSS Evaluated
2026-05-05
NVD
CVE-2026-32753
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.209 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-80 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in FreeScout versions 1.8.208 and below, where attackers can bypass the attachment view logic and SVG sanitizer to upload and render an SVG file containing malicious JavaScript.

The application restricts inline rendering of uploaded files based on file extension and declared Content-Type. However, an attacker can upload a file with a safe extension like .png but with a Content-Type of image/svg+xml, causing the server to treat it as a safe image and render it inline.

Because SVG files can contain scripted behavior, this allows an attacker to execute cross-site scripting (XSS) attacks. Any authenticated user can create a URL that, when visited by another user or administrator, executes malicious actions on their behalf.

This issue was fixed in FreeScout version 1.8.209.


How can this vulnerability impact me? :

This vulnerability can lead to cross-site scripting (XSS) attacks, allowing attackers to execute malicious JavaScript in the context of the victim's browser.

As a result, attackers can perform actions on behalf of other users or administrators, potentially leading to unauthorized access, data theft, or manipulation of the application.

Since any authenticated user can exploit this vulnerability, it increases the risk of insider threats or compromised accounts being used to launch attacks.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability in FreeScout versions 1.8.208 and below allows authenticated users to upload SVG files disguised with a .png extension and a content type of image/svg+xml, enabling malicious JavaScript execution.

To mitigate this vulnerability immediately, upgrade FreeScout to version 1.8.209 or later, where the issue has been fixed.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart