CVE-2026-40568

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.213

Description A stored cross-site scripting (XSS) issue exists in the mailbox signature feature. The sanitization function Helper::stripDangerousTags() uses an incomplete blocklist of HTML tags and fails to remove event handler attributes. When a mailbox signature is saved via MailboxesController::updateSave(), HTML elements such as <img>, <svg>, and <details> containing event handler attributes like onerror and onload are stored in the database. These are later rendered as raw HTML, triggering the injected event handlers. Any authenticated user with the ACCESS PERM SIGNATURE permission can inject arbitrary HTML and JavaScript. The payload executes automatically when an agent or administrator opens a conversation in the affected mailbox, potentially leading to session hijacking, phishing overlays, email exfiltration via mass assignment, and self-propagating worm behavior.

Recommendations Update to version 1.8.213.