CVE-2026-48810

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.221

Description A flaw exists in the ThreadPolicy::edit() function where the system fails to verify current mailbox membership. A user possessing the PERM EDIT CONVERSATIONS permission who previously created a message or internal note in a specific mailbox can modify the body of that thread even after an administrator has removed them from that mailbox. This occurs because the policy only validates the user's authorship and a global permission flag, neglecting to check if the user is still a member of the mailbox.

Recommendations Update to version 1.8.221.