CVE-2026-32753

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of image/svg+xml is allowed, and a fallback mechanism on invalid XML leads to unsafe sanitization. The application restricts which uploaded files are rendered inline: only files considered "safe" are displayed in the browser; others are served with Content-Disposition: attachment. This decision is based on two checks: the file extension (e.g. .png is allowed, while .svg may not be) and the declared Content-Type (e.g. image/* is allowed). By using a filename with an allowed extension (e.g. xss.png) and a Content-Type of image/svg+xml, an attacker can satisfy both checks and cause the server to treat the upload as a safe image and render it inline, even though the body is SVG and can contain scripted behavior. Any authenticated user can set up a specific URL, and whenever another user or administrator visits it, XSS can perform any action on their behalf. This issue has been fixed in version 1.8.209.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/freescout-help-desk/freescout/commit/cb8618845704aef8f5e4a494c7f605e7bd9fdaeb	Patch
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209	Product Release Notes
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-cvr8-cw5c-5pfw	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-19 22:16

Updated : 2026-03-23 19:25

NVD link : CVE-2026-32753

Mitre link : CVE-2026-32753

CVE.ORG link : CVE-2026-32753

JSON object : View

Products Affected

freescout

freescout

CWE

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

{"id": "CVE-2026-32753", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-19T22:16:41.827", "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/cb8618845704aef8f5e4a494c7f605e7bd9fdaeb", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-cvr8-cw5c-5pfw", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-80"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of image/svg+xml is allowed, and a fallback mechanism on invalid XML leads to unsafe sanitization. The application restricts which uploaded files are rendered inline: only files considered \"safe\" are displayed in the browser; others are served with Content-Disposition: attachment. This decision is based on two checks: the file extension (e.g. .png is allowed, while .svg may not be) and the declared Content-Type (e.g. image/* is allowed). By using a filename with an allowed extension (e.g. xss.png) and a Content-Type of image/svg+xml, an attacker can satisfy both checks and cause the server to treat the upload as a safe image and render it inline, even though the body is SVG and can contain scripted behavior. Any authenticated user can set up a specific URL, and whenever another user or administrator visits it, XSS can perform any action on their behalf. This issue has been fixed in version 1.8.209."}, {"lang": "es", "value": "FreeScout es un help desk gratuito y una bandeja de entrada compartida construido con el framework Laravel de PHP. En las versiones 1.8.208 e inferiores, los bypasses de la l\u00f3gica de vista de adjuntos y del sanitizador de SVG hacen posible subir y renderizar un SVG que ejecuta JavaScript malicioso. Se permite una extensi\u00f3n de .png con tipo de contenido image/svg+xml, y un mecanismo de fallback en XML inv\u00e1lido conduce a una sanitizaci\u00f3n insegura. La aplicaci\u00f3n restringe qu\u00e9 archivos subidos se renderizan en l\u00ednea: solo los archivos considerados 'seguros' se muestran en el navegador; otros se sirven con Content-Disposition: attachment. Esta decisi\u00f3n se basa en dos comprobaciones: la extensi\u00f3n del archivo (por ejemplo, se permite .png, mientras que .svg puede no estarlo) y el Content-Type declarado (por ejemplo, se permite image/*). Al usar un nombre de archivo con una extensi\u00f3n permitida (por ejemplo, xss.png) y un Content-Type de image/svg+xml, un atacante puede satisfacer ambas comprobaciones y hacer que el servidor trate la subida como una imagen segura y la renderice en l\u00ednea, aunque el cuerpo sea SVG y pueda contener comportamiento con scripts. Cualquier usuario autenticado puede configurar una URL espec\u00edfica, y cada vez que otro usuario o administrador la visita, XSS puede realizar cualquier acci\u00f3n en su nombre. Este problema ha sido solucionado en la versi\u00f3n 1.8.209."}], "lastModified": "2026-03-23T19:25:21.127", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FA447A4F-F76D-4D18-85E7-18B185572113", "versionEndExcluding": "1.8.209"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}