CVE-2026-32754
Published: 19 March 2026
Summary
CVE-2026-32754 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Freescout Freescout. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates filtering unsanitized email bodies when rendering them in outgoing notifications to prevent stored XSS execution.
Requires validation and sanitization of incoming email bodies before database storage to neutralize XSS payloads from unauthenticated attackers.
Ensures timely identification and patching of flaws like unescaped output in Blade templates, as fixed in FreeScout 1.8.209.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in public-facing helpdesk app (FreeScout) directly enables remote unauthenticated exploitation via email input (T1190); injected payload executes as JavaScript in recipient contexts (T1059.007) and facilitates browser/email-client session hijacking or credential theft (T1185).
NVD Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in the database without sanitization…
more
and rendered unescaped in outgoing email notifications using Blade's raw output syntax {!! $thread->body !!}. An unauthenticated attacker can exploit this vulnerability by simply sending an email, and when opened by any subscribed agent or admin as part of their normal workflow, enabling universal HTML injection (phishing, tracking) and, in vulnerable email clients, JavaScript execution (session hijacking, credential theft, account takeover) affecting all recipients simultaneously. This issue has been fixed in version 1.8.209.
Deeper analysisAI
CVE-2026-32754 is a stored cross-site scripting (XSS) vulnerability affecting FreeScout, an open-source help desk and shared inbox application built on PHP's Laravel framework. Versions 1.8.208 and prior are vulnerable due to incoming email bodies being stored in the database without sanitization and subsequently rendered unescaped in outgoing email notifications using Laravel Blade's raw output syntax {!! $thread->body !!}. This flaw, associated with CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-116 (Improper Encoding or Escaping of Output), carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N).
An unauthenticated attacker can exploit this vulnerability by sending a malicious email to the FreeScout instance. When any subscribed agent or administrator opens the resulting notification email as part of their normal workflow, the unsanitized content triggers universal HTML injection across all recipients, enabling phishing or tracking. In email clients vulnerable to JavaScript execution, this escalates to session hijacking, credential theft, or account takeover, impacting all notification recipients simultaneously.
The issue has been addressed in FreeScout version 1.8.209, as detailed in the project's security advisory (GHSA-56h2-5556-r6mg), release notes, and the fixing commit (3329379db38a86cf7069b0709061b95a7d38985b). Security practitioners should upgrade to 1.8.209 or later and review notification templates for similar raw output usage.
Details
- CWE(s)