CVE-2026-47123

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.220

Description The email processing pipeline in the FetchEmails command contains two code paths for identifying agent replies using In-Reply-To and References headers. The notification reply path (notify-thread id-user id-...) extracts the thread id and user id directly from the Message-ID without HMAC (Hash-based Message Authentication Code) verification. This allows an external attacker to spoof the From address of a helpdesk agent and inject messages that are processed as legitimate agent replies, which are then automatically forwarded to customers via the legitimate SMTP server.

Recommendations Update to version 1.8.220.