CVE-2025-48481

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.180

Description The issue allows an attacker with an unactivated email invitation containing the invite hash to self-activate their account, even if it is blocked or deleted. This is achieved by leveraging the invitation link from the email to gain initial access to the account.

Recommendations For versions prior to 1.8.180, update to version 1.8.180 to resolve the issue. As a temporary workaround, consider restricting access to the invitation link from unactivated email invitations until the update is applied.