{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40565", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-14T13:24:29.473Z", "datePublished": "2026-04-21T15:52:39.118Z", "dateUpdated": "2026-04-21T19:48:40.654Z"}, "containers": {"cna": {"title": "FreeScout has Stored XSS / CSS Injection via linkify() \u2014 Unescaped URL in Anchor href", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-49pm-xwqj-vwjp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-49pm-xwqj-vwjp"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/265379b3ae343f06846adc0aa8510643d1eac2df", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/265379b3ae343f06846adc0aa8510643d1eac2df"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.213", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T15:52:39.118Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (\") in the URL. HTMLPurifier (called first via getCleanBody()) preserves literal \" characters in text nodes. linkify() then wraps URLs including those \" chars inside an unescaped href=\"...\" attribute, breaking out of the href and injecting arbitrary HTML attributes. Version 1.8.213 fixes the issue."}], "source": {"advisory": "GHSA-49pm-xwqj-vwjp", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-49pm-xwqj-vwjp", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T17:40:53.650733Z", "id": "CVE-2026-40565", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T19:48:40.654Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40565", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T17:40:53.650733Z"}}}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-49pm-xwqj-vwjp", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T17:41:10.975Z"}}], "cna": {"title": "FreeScout has Stored XSS / CSS Injection via linkify() \u2014 Unescaped URL in Anchor href", "source": {"advisory": "GHSA-49pm-xwqj-vwjp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.213"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-49pm-xwqj-vwjp", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-49pm-xwqj-vwjp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-help-desk/freescout/commit/265379b3ae343f06846adc0aa8510643d1eac2df", "name": "https://github.com/freescout-help-desk/freescout/commit/265379b3ae343f06846adc0aa8510643d1eac2df", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (\") in the URL. HTMLPurifier (called first via getCleanBody()) preserves literal \" characters in text nodes. linkify() then wraps URLs including those \" chars inside an unescaped href=\"...\" attribute, breaking out of the href and injecting arbitrary HTML attributes. Version 1.8.213 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-21T15:52:39.118Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40565", "state": "PUBLISHED", "dateUpdated": "2026-04-21T19:48:40.654Z", "dateReserved": "2026-04-14T13:24:29.473Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-21T15:52:39.118Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (\") in the URL. HTMLPurifier (called first via getCleanBody()) preserves literal \" characters in text nodes. linkify() then wraps URLs including those \" chars inside an unescaped href=\"...\" attribute, breaking out of the href and injecting arbitrary HTML attributes. Version 1.8.213 fixes the issue."}], "id": "CVE-2026-40565", "lastModified": "2026-04-21T20:16:59.407", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-21T16:16:20.390", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/commit/265379b3ae343f06846adc0aa8510643d1eac2df"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.213"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-49pm-xwqj-vwjp"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-49pm-xwqj-vwjp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.213)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-04-22T03:05:06.246524+00:00", "value": {"mitigation_remediation": ["Upgrade the FreeScout installation to version 1.8.213 or later, which applies the necessary escaping to linkify() output.", "Download the update from the project's GitHub releases or apply it using an official package manager.", "If an immediate upgrade is not feasible, mitigate by sanitizing URLs before rendering\u2014escape or remove quotation marks in the href attribute.", "Alternatively, disable the automatic linkification feature until the patch can be applied."], "summary": {"action": "Immediate Patch", "impact": "Stored XSS / CSS Injection"}, "threat_synthesis": {"affected_systems": "The issue affects the FreeScout Help Desk application, specifically any installation using a version older than 1.8.213. All users of those versions who receive or render email content are potentially affected.", "description_and_impact": "This vulnerability arises when FreeScout converts plain\u2011text URLs in email bodies into anchor tags without escaping quotation marks. The resulting href attribute can be broken out of, permitting attackers to inject arbitrary HTML attributes or script code. The flaw is a classic stored cross\u2011site scripting weakness.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a moderate severity. No EPSS data is currently available and the vulnerability is not listed in the CISA KEV catalog. An attacker would need the ability to inject content that passes through the linkify() function, such as through an email message or a user\u2011submitted comment. Once the crafted URL is rendered, the injected HTML can execute script or alter style, leading to potential data theft or session hijacking if the victim interacts with the affected page content."}}}}, "created": "2026-04-21T17:30:37.395592+00:00", "updated": "2026-04-22T03:15:06.408963+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}