{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32753", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T18:53:03.532Z", "datePublished": "2026-03-19T21:26:09.802Z", "dateUpdated": "2026-03-19T21:26:09.802Z"}, "containers": {"cna": {"title": "FreeScout: Stored XSS through SVG file upload with filter bypass", "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.5, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-cvr8-cw5c-5pfw", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-cvr8-cw5c-5pfw"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/cb8618845704aef8f5e4a494c7f605e7bd9fdaeb", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/cb8618845704aef8f5e4a494c7f605e7bd9fdaeb"}, {"name": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.209", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-19T21:26:09.802Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of image/svg+xml is allowed, and a fallback mechanism on invalid XML leads to unsafe sanitization. The application restricts which uploaded files are rendered inline: only files considered \"safe\" are displayed in the browser; others are served with Content-Disposition: attachment. This decision is based on two checks: the file extension (e.g. .png is allowed, while .svg may not be) and the declared Content-Type (e.g. image/* is allowed). By using a filename with an allowed extension (e.g. xss.png) and a Content-Type of image/svg+xml, an attacker can satisfy both checks and cause the server to treat the upload as a safe image and render it inline, even though the body is SVG and can contain scripted behavior. Any authenticated user can set up a specific URL, and whenever another user or administrator visits it, XSS can perform any action on their behalf. This issue has been fixed in version 1.8.209."}], "source": {"advisory": "GHSA-cvr8-cw5c-5pfw", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of image/svg+xml is allowed, and a fallback mechanism on invalid XML leads to unsafe sanitization. The application restricts which uploaded files are rendered inline: only files considered \"safe\" are displayed in the browser; others are served with Content-Disposition: attachment. This decision is based on two checks: the file extension (e.g. .png is allowed, while .svg may not be) and the declared Content-Type (e.g. image/* is allowed). By using a filename with an allowed extension (e.g. xss.png) and a Content-Type of image/svg+xml, an attacker can satisfy both checks and cause the server to treat the upload as a safe image and render it inline, even though the body is SVG and can contain scripted behavior. Any authenticated user can set up a specific URL, and whenever another user or administrator visits it, XSS can perform any action on their behalf. This issue has been fixed in version 1.8.209."}], "id": "CVE-2026-32753", "lastModified": "2026-03-20T13:39:46.493", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-19T22:16:41.827", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/commit/cb8618845704aef8f5e4a494c7f605e7bd9fdaeb"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209"}, {"source": "security-advisories@github.com", "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-cvr8-cw5c-5pfw"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.209)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-03-19T22:21:03.653528+00:00", "value": {"mitigation_remediation": ["Apply vendor patch to version 1.8.209 or later."], "summary": {"action": "Apply Patch", "impact": "Cross-site scripting (Stored XSS) allowing malicious JavaScript execution in authenticated users' browsers."}, "threat_synthesis": {"affected_systems": "The affected product is FreeScout (freescout-help-desk:freescout). Versions 1.8.208 and earlier are vulnerable, while version 1.8.209 and subsequent releases contain the fix. The vulnerability is exploitable only when an authenticated user uploads the file and an authenticated or privileged user subsequently clicks the resulting link.", "description_and_impact": "FreeScout, a PHP/Laravel-based help desk application, contains a stored cross\u2011site scripting flaw that is triggered by uploading a specially crafted SVG file. By renaming the file to an allowed extension such as .png and specifying the content type image/svg+xml, the upload logic mistakenly treats the file as a safe image and renders it inline. The SVG component can embed JavaScript, which is then executed in the browser of any viewer, granting the attacker the victim\u2019s privileges to perform arbitrary actions on their behalf. The weakness is identified as CWE\u201180, i.e., improper input handling leading to cross\u2011site scripting.", "risk_and_exploitability": "The severity is high, with a CVSS score of 8.5, indicating serious impact. The EPSS score is not available, and the issue is not present in the CISA KEV catalog. Because the attack requires only the ability to upload a file via the web interface and to get another user to open the link, the risk of exploitation remains relatively high for sites where FreeScout is publicly accessible and where users can upload attachments."}}}}, "created": "2026-03-20T08:55:34.542885+00:00", "updated": "2026-03-20T11:05:57.006591+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}