CVE-2026-40566

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.213

Description A Server-Side Request Forgery (SSRF) issue exists in the IMAP/SMTP connection test functionality of the MailboxesController. Three AJAX actions, 'fetch test', 'send test', and 'imap folders' in app/Http/Controllers/MailboxesController.php, pass admin-configured in server, in port, out server, and out port values directly to fsockopen() via Helper::checkPort() and to IMAP/SMTP client connections without protection. The system lacks IP validation, hostname restrictions, internal range blocklists, and does not utilize sanitizeRemoteUrl() or checkUrlIpAndHost() functions. An authenticated administrator can configure a mailbox to point to any internal host and port to trigger connection tests. This allows for internal network port scanning and service fingerprinting, as the server opens raw TCP and protocol-level connections. In cloud environments, this can be used to probe the metadata endpoint at '169.254.169.254', potentially leaking partial response data through protocol error messages.

Recommendations Update to version 1.8.213.