CVE-2025-54366

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.186

Description FreeScout is a lightweight free open source help desk and shared inbox built with PHP (Laravel framework). Versions prior to 1.8.186 contain a critical deserialization vulnerability in the /conversation/ajax endpoint. Authenticated users with knowledge of the APP KEY can achieve remote code execution. The vulnerability occurs when the application processes the attachments all and attachments POST parameters through the Helper::decrypt() function, which performs unsafe deserialization of user-controlled data without proper validation. This allows attackers to create arbitrary objects and manipulate their properties, leading to complete compromise of the web application.

Recommendations Update to version 1.8.186 or later.