CVE-2026-34442
Host Header Injection in FreeScout Enables Open Redirects
Publication date: 2026-03-31
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.211 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in FreeScout, a help desk and shared inbox application built with PHP's Laravel framework. Prior to version 1.8.211, FreeScout improperly handles the Host header in HTTP requests. An attacker can manipulate this Host header to inject an arbitrary domain into the URLs generated by the application. This causes the application to create absolute URLs that point to attacker-controlled domains.
As a result, the application may load external resources from malicious servers and redirect users to attacker-controlled sites, leading to External Resource Loading and Open Redirect behavior.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing attackers to redirect your users to malicious websites through crafted links generated by the application. This can lead to phishing attacks, where users are tricked into providing sensitive information on fake sites.
Additionally, loading external resources from attacker-controlled servers can expose users to malicious content or tracking, potentially compromising user privacy and security.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade FreeScout to version 1.8.211 or later, where the host header manipulation issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in FreeScout allows host header manipulation leading to open redirect and external resource loading attacks. This can facilitate phishing, UI redressing, and brand impersonation, which may increase the risk of unauthorized data exposure or user redirection to malicious sites.
Such security weaknesses can impact compliance with standards like GDPR and HIPAA by potentially exposing users to phishing attacks and unauthorized data access through malicious redirects or resource loading. These standards require protecting user data and ensuring secure application behavior to prevent data breaches and social engineering attacks.
However, the provided information does not explicitly describe direct compliance violations or specific regulatory impacts, only the security risks that could indirectly affect compliance.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending HTTP requests with manipulated Host headers to the FreeScout application endpoints and observing if the responses contain absolute URLs or redirects that include the attacker-controlled Host value.
A proof of concept involves crafting a request with a malicious Host header and checking if the application reflects this header in generated URLs or redirects.
For example, you can use curl commands to test the vulnerability by setting the Host header to a domain you control and inspecting the response for injected URLs.
- curl -H "Host: attacker.com" http://localhost:8080/system/status -v
- curl -H "Host: attacker.com" http://localhost:8080/conversation/ajax-html/default_redirect -v
If the response contains URLs or redirects pointing to attacker.com or other injected domains, the system is vulnerable.
Additionally, reviewing application logs for unusual Host header values or unexpected redirects can help detect exploitation attempts.