CVE-2026-40497

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.213

Description The Helper::stripDangerousTags() function fails to remove <style> tags, although it strips <script>, <form>, <iframe>, and <object> tags. The mailbox signature field, saved via the endpoint '/mailbox/settings/{id}', is rendered unescaped in conversation views. Because the Content Security Policy allows style-src * 'self' 'unsafe-inline', an attacker with access to mailbox settings, such as an admin or an agent with mailbox permissions, can inject CSS attribute selectors. This allows the exfiltration of the CSRF token of any agent or admin viewing a conversation in that mailbox. With this token, the attacker can perform state-changing actions, such as creating admin accounts or changing email and password details, leading to privilege escalation from agent to admin.

Recommendations Update to version 1.8.213.