CVE-2026-41190

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.215

Description When the APP SHOW ONLY ASSIGNED CONVERSATIONS setting is enabled, the system correctly restricts access to conversation views for users who are not the creator or the assignee. However, the 'save draft' AJAX path lacks sufficient validation, allowing a direct POST request to create a draft within a conversation that should be hidden in the user interface.

Recommendations Update to version 1.8.215.