CVE-2026-40590

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.214

Description The Change Customer modal exposes a flow to create new customers via the "POST /customers/ajax" endpoint using the action parameter set to create. Under limited visibility, this endpoint fails to perform unique-email validation. If a provided email is associated with a hidden customer, the Customer::create() function reuses that hidden customer object and populates empty profile fields with input controlled by an attacker.

Recommendations Update to version 1.8.214.