CVE-2026-40568
Received Received - Intake
Stored XSS in FreeScout Mailbox Signature Enables Session Hijacking

Publication date: 2026-04-21

Last updated on: 2026-04-21

Assigner: GitHub, Inc.

Description
FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only four HTML tags (`script`, `form`, `iframe`, `object`) and does not remove event handler attributes. When a mailbox signature is saved via `MailboxesController::updateSave()` (`app/Http/Controllers/MailboxesController.php:267`), HTML elements such as `<img>`, `<svg>`, and `<details>` with event handler attributes like `onerror` and `onload` pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade `{!! !!}` tag in `editor_bottom_toolbar.blade.php:6` and re-inserted into the visible DOM by jQuery `.html()` at `main.js:1789-1790`, triggering the injected event handlers. Any authenticated user with the `ACCESS_PERM_SIGNATURE` (`sig`) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-21
Last Modified
2026-04-21
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40568
EUVD
EUVD-2026-24169
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.213 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40568 is a stored cross-site scripting (XSS) vulnerability in FreeScout versions prior to 1.8.213, specifically in the mailbox signature feature.

The vulnerability arises because the HTML sanitization function `Helper::stripDangerousTags()` only blocks four HTML tags (`script`, `form`, `iframe`, `object`) but does not remove event handler attributes like `onerror` or `onload`. This allows malicious HTML elements such as `<img>`, `<svg>`, and `<details>` with event handlers to be saved in mailbox signatures.

When a mailbox signature is saved, the insufficient sanitization lets attackers store arbitrary HTML and JavaScript in the database. Later, this content is rendered as raw HTML and inserted into the visible DOM, causing the malicious scripts to execute automatically without any user interaction.

Any authenticated user with the delegatable, non-admin permission `ACCESS_PERM_SIGNATURE` can exploit this to inject malicious code that triggers whenever any agent or administrator views a conversation in the affected mailbox.

Compliance Impact

The vulnerability allows authenticated users with limited permissions to inject malicious HTML and JavaScript into mailbox signatures, which can lead to session hijacking, phishing, unauthorized data exfiltration, and self-propagating attacks.

Such unauthorized access and data exfiltration risks can compromise the confidentiality and integrity of sensitive information, potentially violating data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive data against unauthorized access and breaches.

Because the vulnerability enables attackers to exfiltrate emails containing sensitive data and hijack sessions without user interaction, organizations using affected versions of FreeScout may face compliance challenges related to protecting personal data, maintaining data confidentiality, and ensuring secure access controls.

Impact Analysis

This vulnerability can have severe impacts including:

  • Session hijacking under conditions where Content Security Policy (CSP) can be bypassed, such as in IE11 or weakened CSP modules.
  • Phishing overlays that work across all browsers regardless of CSP, using only HTML and CSS.
  • Chaining attacks to admin-level actions, such as mass assignment to inject automatic BCC addresses on mailboxes, enabling exfiltration of sensitive emails.
  • Self-propagating worm behavior that spreads malicious signatures across all mailboxes accessible to the victim.
  • Remote code execution by uploading malicious FreeScout modules (PHP webshells) when CSP is bypassed.
  • Injection of tracking pixels to monitor when agents and customers view emails.

Additionally, the vulnerability affects outgoing emails where the malicious signature is included verbatim in HTML emails without CSP enforcement, increasing the risk of exploitation.

Detection Guidance

This vulnerability involves stored cross-site scripting (XSS) in mailbox signatures of FreeScout versions prior to 1.8.213. Detection involves identifying mailbox signatures containing malicious HTML elements with event handler attributes such as onerror or onload that bypass the sanitization.

You can detect potentially malicious signatures by querying the database for mailbox signatures containing suspicious HTML tags and event handler attributes. For example, searching for signatures containing <img>, <svg>, <details> tags with attributes like onerror or onload.

  • Use SQL queries on the FreeScout database to find mailbox signatures with suspicious patterns, e.g.: SELECT * FROM mailbox_signatures WHERE signature LIKE '%<img%onerror=%' OR signature LIKE '%<svg%onload=%';
  • Monitor HTTP traffic for suspicious payloads or injected scripts in mailbox signature update requests, especially POST requests to MailboxesController::updateSave().
  • Check application logs for unusual mailbox signature updates by users with ACCESS_PERM_SIGNATURE permission.

Note that no specific detection commands are provided in the resources, but these general approaches can help identify exploitation attempts or malicious stored signatures.

Mitigation Strategies

The primary mitigation is to upgrade FreeScout to version 1.8.213 or later, which includes a fix replacing the vulnerable sanitization function with a robust allowlist-based HTML purifier that removes dangerous tags and event handler attributes.

Additional immediate steps include:

  • Apply the security update that replaces Helper::stripDangerousTags() with Helper::purifyHtml() to ensure proper sanitization of mailbox signatures.
  • Ensure the fix is applied both when saving signatures (MailboxesController.php) and when rendering them (Conversation.php).
  • Implement the CheckBrowser middleware introduced in version 1.8.213 to block browsers without adequate Content Security Policy (CSP) support, reducing risk from CSP bypass.
  • Restrict or audit users with ACCESS_PERM_SIGNATURE permission to prevent unauthorized signature modifications.

These steps collectively mitigate the risk of stored XSS exploitation, session hijacking, phishing overlays, and other chained attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40568. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart