CVE-2026-40565

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.213

Description The linkify() function in app/Misc/Helper.php converts plain-text URLs in email bodies into HTML anchor tags without escaping double-quote characters (") in the URL. Because HTMLPurifier preserves literal double-quote characters in text nodes via getCleanBody(), the linkify() function wraps URLs containing these characters inside an unescaped href attribute. This allows for the injection of arbitrary HTML attributes by breaking out of the href attribute.

Recommendations Update to version 1.8.213.