CVE-2026-40565
Undergoing Analysis Undergoing Analysis - In Progress
HTML Injection via Unescaped URLs in FreeScout linkify() Function

Publication date: 2026-04-21

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (") in the URL. HTMLPurifier (called first via getCleanBody()) preserves literal " characters in text nodes. linkify() then wraps URLs including those " chars inside an unescaped href="..." attribute, breaking out of the href and injecting arbitrary HTML attributes. Version 1.8.213 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40565
EUVD
EUVD-2026-24141
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.213 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability CVE-2026-40565 is a stored cross-site scripting (XSS) and CSS injection issue that allows unauthenticated attackers to inject malicious HTML attributes into email bodies viewed by agents. This can lead to UI redressing attacks and potential session hijacking if Content Security Policy (CSP) protections are bypassed.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the presence of a stored XSS vulnerability in a help desk system handling potentially sensitive email content could pose risks to confidentiality and integrity of data. Such risks may impact compliance with regulations that require protection of personal and sensitive information against unauthorized access or manipulation.

Therefore, organizations using vulnerable versions of FreeScout prior to 1.8.213 might face challenges in maintaining compliance with security requirements of common standards and regulations due to the potential for data exposure or manipulation via this vulnerability.

Executive Summary

CVE-2026-40565 is a stored Cross-Site Scripting (XSS) and CSS injection vulnerability in FreeScout versions prior to 1.8.213. It occurs in the linkify() function, which converts plain-text URLs in email bodies into HTML anchor tags. The function fails to properly escape double-quote characters (") within URLs, allowing these characters to break out of the href attribute context and inject arbitrary HTML attributes.

Specifically, the email body is first sanitized by HTMLPurifier, which preserves literal double-quote characters. Then, linkify() wraps URLs containing these quotes inside unescaped href attributes, enabling injection of malicious HTML such as CSS styles or JavaScript event handlers.

This vulnerability allows an attacker to craft URLs that, when viewed by a helpdesk agent, inject malicious CSS or JavaScript into the interface, leading to UI redressing or session hijacking.

Impact Analysis

This vulnerability allows remote, unauthenticated attackers to inject malicious CSS and potentially JavaScript into the FreeScout helpdesk agent's interface.

  • UI redressing attacks that overlay or manipulate the agent's viewport.
  • Session hijacking through injected JavaScript if Content Security Policy (CSP) is not strict.
  • Compromise of agent interactions by injecting malicious attributes like onclick handlers.

The attack requires an attacker to send a specially crafted email containing malicious URLs to the helpdesk mailbox, which is then viewed by an agent, triggering the vulnerability.

Detection Guidance

This vulnerability can be detected by inspecting email bodies processed by FreeScout for URLs containing unescaped double-quote characters ("). Specifically, look for anchor tags (<a>) where the href attribute is broken out due to unescaped quotes, which may allow injection of arbitrary HTML attributes.

One practical approach is to search the email content or logs for suspicious URLs containing double quotes or unusual attribute injections.

Example commands to detect such patterns could include using grep or similar tools on stored email data or logs:

  • grep -r 'href=.*"' /path/to/freescout/emails
  • grep -r '<a href="http://' /path/to/freescout/emails | grep '"'

Additionally, manual inspection or automated scanning of the HTML output rendered in the agent interface for injected attributes or CSS overlays can help identify exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.213 or later, where the vulnerability is fixed by properly escaping URLs and email addresses in the linkify() function.

If upgrading is not immediately possible, consider applying the patch that escapes href attribute values and link text using PHP's htmlspecialchars() function with ENT_QUOTES and UTF-8 encoding to prevent injection.

Additionally, enforce strict Content Security Policy (CSP) headers to limit the impact of injected scripts or styles.

Monitor incoming emails for suspicious URLs containing double quotes or unusual attributes and consider filtering or sanitizing such inputs before processing.

Executive Summary

CVE-2026-40565 is a stored Cross-Site Scripting (XSS) and CSS injection vulnerability in FreeScout versions prior to 1.8.213. It occurs in the linkify() function, which converts plain-text URLs in email bodies into HTML anchor tags. The function fails to properly escape double-quote characters (") within URLs, allowing these characters to break out of the href attribute context and inject arbitrary HTML attributes.

Specifically, the email body is first sanitized by HTMLPurifier, which preserves literal " characters. Then, linkify() wraps URLs containing these " characters inside unescaped href attributes, enabling injection of malicious HTML or CSS. This can lead to the browser interpreting injected attributes such as style or onclick, resulting in UI redressing or potential script execution.

The vulnerability is fixed in FreeScout version 1.8.213 by properly escaping URLs and link text using PHP's htmlspecialchars() function with ENT_QUOTES and UTF-8 encoding, preventing injection attacks.

Impact Analysis

This vulnerability allows remote, unauthenticated attackers to inject malicious CSS and potentially JavaScript into the FreeScout helpdesk agent's interface.

  • UI redressing attacks, such as full-page overlays that can mislead or block the agent's view.
  • Potential session hijacking through injected JavaScript if Content Security Policy (CSP) is not strict.
  • Compromise of agent interactions by injecting arbitrary HTML attributes like onclick handlers.

The attack requires an attacker to send a crafted email containing malicious URLs to the helpdesk mailbox, which when viewed by an agent triggers the vulnerability.

Detection Guidance

This vulnerability can be detected by inspecting email bodies processed by FreeScout for URLs containing unescaped double-quote characters ("). Specifically, look for anchor tags (<a>) where the href attribute is broken out due to unescaped quotes, allowing injection of arbitrary HTML attributes.

One approach is to search the email content or logs for suspicious URLs containing double quotes that are not properly escaped. Since the vulnerability manifests when an agent views an email with such crafted URLs, monitoring the rendered HTML for injected attributes or unexpected CSS styles can help detect exploitation.

Commands to detect potentially malicious URLs in stored emails or logs might include using grep or similar tools to find URLs with double quotes:

  • grep -r '"' /path/to/freescout/email/storage
  • grep -r '<a href="http' /path/to/freescout/email/storage | grep '"'

Additionally, reviewing the FreeScout version installed can help determine if the system is vulnerable (versions prior to 1.8.213 are affected).

Mitigation Strategies

The immediate mitigation step is to upgrade FreeScout to version 1.8.213 or later, where the vulnerability is fixed by properly escaping URLs and email addresses in the linkify() function.

If upgrading immediately is not possible, consider applying the patch from the official commit that escapes href attributes and link text using PHP's htmlspecialchars() function with ENT_QUOTES and UTF-8 encoding to prevent injection.

Additionally, enforcing strict Content Security Policy (CSP) headers can help mitigate the impact by blocking execution of injected scripts, although CSS injection may still be possible.

As a temporary measure, avoid opening suspicious emails containing URLs with double quotes or other unusual characters in the helpdesk interface.

Compliance Impact

The vulnerability CVE-2026-40565 is a stored cross-site scripting (XSS) and CSS injection issue that allows unauthenticated attackers to inject malicious HTML attributes into email bodies viewed by agents. This can lead to UI redressing attacks and potential session hijacking if Content Security Policy (CSP) protections are bypassed.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the presence of an XSS vulnerability that can lead to session hijacking and unauthorized manipulation of the user interface poses risks to confidentiality and integrity of data handled by the FreeScout help desk system.

Such vulnerabilities can impact compliance with data protection regulations that require safeguarding personal and sensitive information against unauthorized access or disclosure. If exploited, this vulnerability could potentially lead to unauthorized access to user data or disruption of service, which may violate regulatory requirements.

Compliance Impact

The vulnerability CVE-2026-40565 is a stored Cross-Site Scripting (XSS) and CSS injection issue that allows unauthenticated attackers to inject malicious HTML attributes into email bodies viewed by agents. This can lead to UI redressing attacks and potential session hijacking if Content Security Policy (CSP) protections are bypassed.

Such vulnerabilities can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access or manipulation of sensitive information, compromise data integrity, and expose user sessions to hijacking. These outcomes can violate requirements for protecting personal and sensitive data, maintaining confidentiality, and ensuring secure processing environments.

Therefore, failure to address this vulnerability could result in non-compliance with data protection and security mandates that require safeguarding against injection attacks and ensuring secure handling of user data.

Detection Guidance

This vulnerability can be detected by inspecting email bodies processed by FreeScout versions prior to 1.8.213 for unescaped double-quote characters within URLs that are converted into HTML anchor tags. Specifically, look for anchor tags where the href attribute is broken out by unescaped quotes, allowing injection of arbitrary HTML attributes such as style.

One practical approach is to search the email content or logs for suspicious anchor tags containing unescaped double-quote characters or injected attributes like style or onclick within href attributes.

Example commands to detect such patterns in stored emails or logs might include:

  • Using grep to find suspicious href attributes with embedded quotes: grep -rP '<a href="[^"]*"[^"]*style=' /path/to/emails_or_logs
  • Using grep to find anchor tags with href attributes containing double quotes breaking out: grep -rP '<a href="[^"]*"[^"]*"' /path/to/emails_or_logs

Additionally, reviewing the FreeScout version in use and confirming if it is prior to 1.8.213 can help identify if the system is vulnerable.

Compliance Impact

The vulnerability CVE-2026-40565 is a stored Cross-Site Scripting (XSS) and CSS injection issue that allows unauthenticated attackers to inject malicious HTML attributes into email bodies viewed by agents. This can lead to UI redressing attacks and potential session hijacking if Content Security Policy (CSP) protections are bypassed.

Such vulnerabilities can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access or manipulation of sensitive information handled by the help desk system. The injection of malicious code could compromise confidentiality and integrity of data, which are critical requirements under these regulations.

Therefore, organizations using vulnerable versions of FreeScout prior to 1.8.213 may face increased risk of data breaches or unauthorized data exposure, potentially resulting in non-compliance with data protection standards.

Detection Guidance

To detect the CVE-2026-40565 vulnerability on your system, you should check the version of FreeScout you are running. Versions prior to 1.8.213 are vulnerable.

You can also inspect email bodies processed by FreeScout for unescaped double-quote characters (") within URLs that are converted into HTML anchor tags. Specifically, look for anchor tags where the href attribute is broken by unescaped quotes, allowing injection of arbitrary HTML attributes.

Since the vulnerability involves improper escaping in the linkify() function, you can search for suspicious anchor tags in the rendered HTML of email threads that include injected attributes such as style or event handlers.

Suggested commands to detect vulnerable versions or suspicious patterns:

  • Check FreeScout version via command line or application interface to confirm if it is older than 1.8.213.
  • Use grep or similar tools to search for the vulnerable code pattern in app/Misc/Helper.php: `grep -n 'href="$protocol://' app/Misc/Helper.php` to verify if escaping is applied.
  • Inspect stored email bodies for suspicious anchor tags with unescaped quotes using commands like: `grep -r '<a href="http' /path/to/freescout/storage` or database queries to find URLs containing double-quote characters.
  • Use browser developer tools to inspect the DOM of email threads for injected attributes in anchor tags, such as unexpected style attributes that create overlays.
Detection Guidance

This vulnerability can be detected by inspecting email bodies processed by FreeScout versions prior to 1.8.213 for unescaped double-quote characters within URLs that are converted into HTML anchor tags. Specifically, look for anchor tags where the href attribute is broken out by unescaped quotes, allowing injection of arbitrary HTML attributes such as style.

A practical detection method is to search the email content or logs for suspicious anchor tags containing double-quote characters inside URLs that lead to injected attributes. For example, look for patterns like: <a href="http://evil.com/"style="..."> which indicate the vulnerability.

Suggested commands to detect this issue include using grep or similar tools to search for unescaped double quotes in href attributes within stored email bodies or logs:

  • grep -rP '<a href="[^"]*"[^"]*>' /path/to/freescout/data/emails
  • grep -r 'href="http' /path/to/freescout/data/emails | grep '"style='

Additionally, reviewing the FreeScout version in use can help determine if the system is vulnerable. Versions prior to 1.8.213 are affected.

Compliance Impact

The vulnerability CVE-2026-40565 in FreeScout allows unauthenticated attackers to inject malicious HTML attributes via crafted URLs in email bodies, leading to stored cross-site scripting (XSS) and CSS injection attacks.

Such vulnerabilities can impact compliance with common standards and regulations like GDPR and HIPAA because they may lead to unauthorized access or manipulation of sensitive information, compromise data integrity, and expose user sessions to hijacking.

Specifically, the injection of malicious code could enable attackers to perform UI redressing attacks or potentially bypass Content Security Policy protections, increasing the risk of data breaches or unauthorized disclosure of personal or protected health information.

Therefore, until fixed, this vulnerability poses a risk to maintaining the confidentiality and integrity requirements mandated by such regulations.

Detection Guidance

This vulnerability can be detected by inspecting email bodies processed by FreeScout versions prior to 1.8.213 for unescaped double-quote characters within URLs that are converted into HTML anchor tags. Specifically, look for anchor tags where the href attribute is broken out by unescaped quotes, allowing injection of arbitrary HTML attributes such as style.

One practical approach is to search the stored emails or logs for suspicious anchor tags containing injected attributes or malformed href values.

Since the vulnerability manifests when an agent views a crafted email, monitoring the DOM of the rendered email bodies in the browser for unexpected attributes or overlays (e.g., full-page red backgrounds) can also help detect exploitation.

Suggested commands to detect the vulnerability include using grep or similar tools to find unescaped double quotes in URLs within stored email content files or database exports. For example:

  • grep -r '<a href="http' /path/to/freescout/emails | grep '"'
  • grep -r '<a href=.*".*style=' /path/to/freescout/emails

Additionally, inspecting the source code version of FreeScout can confirm if the patch (version 1.8.213 or later) is applied, as the fix involves escaping URLs in the linkify() function using htmlspecialchars().

Compliance Impact

The vulnerability CVE-2026-40565 is a stored Cross-Site Scripting (XSS) and CSS injection issue that allows unauthenticated attackers to inject malicious HTML attributes into email bodies viewed by agents. This can lead to UI redressing attacks and potential session hijacking if Content Security Policy (CSP) protections are bypassed.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, vulnerabilities that enable XSS and session hijacking can lead to unauthorized access or exposure of sensitive personal or health information. Such security weaknesses may therefore impact compliance with data protection regulations that require safeguarding personal data against unauthorized access and ensuring data integrity.

Organizations using vulnerable versions of FreeScout should consider this risk in their compliance assessments and apply the fixed version (1.8.213) to mitigate potential regulatory impacts.

Detection Guidance

This vulnerability can be detected by inspecting email bodies processed by FreeScout versions prior to 1.8.213 for unescaped double-quote characters within URLs that are converted into HTML anchor tags. Specifically, look for anchor tags where the href attribute is broken out by unescaped quotes, allowing injection of arbitrary HTML attributes such as style.

One practical approach is to search stored emails or logs for suspicious anchor tags containing unescaped double-quote characters in URLs, for example, by using grep or similar text search tools on the email storage or database exports.

  • Use a command like: grep -r '<a href="http.*"style=' /path/to/freescout/emails or database dumps to find injected style attributes breaking out of href.
  • Alternatively, extract email bodies and search for URLs containing double-quote characters (") within href attributes that are not properly escaped.

Since the vulnerability manifests when an agent views the email, monitoring the rendered HTML in the browser's developer tools for injected attributes or unexpected CSS overlays can also help detect exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40565. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart