CVE-2026-32753

Name of the Vulnerable Software and Affected Versions FreeScout versions 1.8.208 and below

Description FreeScout, a help desk and shared inbox built with PHP’s Laravel framework, is susceptible to a flaw where attackers can upload and execute malicious JavaScript through specially crafted SVG files. This is achieved by exploiting bypasses in the attachment view logic and SVG sanitizer. The application allows files with a '.png' extension and a 'image/svg+xml' content type, and a fallback mechanism for invalid XML leads to inadequate sanitization. By using a filename with an allowed extension and a Content-Type of image/svg+xml, an attacker can bypass security checks and cause the server to render the malicious SVG inline. Any authenticated user can create a URL that, when visited by another user or administrator, can execute arbitrary actions on their behalf. The API endpoint for file uploads is vulnerable, specifically when handling the filename and Content-Type parameters. The renderFile() function is also implicated in the rendering of the malicious SVG.

Recommendations FreeScout versions 1.8.208 and below should be updated to version 1.8.209 or later.