CVE-2026-40568

High

Published: 21 April 2026

Published

21 April 2026

Modified

22 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

EPSS Score 0.0003 10.1th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40568 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires implementing input validation mechanisms that directly address the incomplete HTML sanitization in Helper::stripDangerousTags(), preventing storage of malicious event handler attributes in mailbox signatures.

SI-15 Information Output Filtering good match

prevent

SI-15 mandates output filtering to prevent execution of injected scripts, directly mitigating the unsafe rendering via Blade {!! !!} tags and jQuery .html() when signatures are displayed.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely flaw remediation by applying the vendor patch in FreeScout 1.8.213, which fixes the sanitization deficiency and prevents exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.007 JavaScript Execution

Adversaries may abuse various implementations of JavaScript for execution.

attack.mitre.org →

Why these techniques?

Stored XSS in web app enables exploitation of the application for code execution and allows arbitrary JavaScript execution in victim browsers.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

FreeScout is a free self-hosted help desk and shared mailbox. Versions prior to 1.8.213 have a stored cross-site scripting (XSS) vulnerability in the mailbox signature feature. The sanitization function `Helper::stripDangerousTags()` (`app/Misc/Helper.php:568`) uses an incomplete blocklist of only four HTML tags…

(`script`, `form`, `iframe`, `object`) and does not remove event handler attributes. When a mailbox signature is saved via `MailboxesController::updateSave()` (`app/Http/Controllers/MailboxesController.php:267`), HTML elements such as `<img>`, `<svg>`, and `<details>` with event handler attributes like `onerror` and `onload` pass through sanitization unchanged and are stored in the database. The signature is then rendered as raw HTML via the Blade `{!! !!}` tag in `editor_bottom_toolbar.blade.php:6` and re-inserted into the visible DOM by jQuery `.html()` at `main.js:1789-1790`, triggering the injected event handlers. Any authenticated user with the `ACCESS_PERM_SIGNATURE` (`sig`) permission on a mailbox -- a delegatable, non-admin permission -- can inject arbitrary HTML and JavaScript into the mailbox signature. The payload fires automatically, with no victim interaction, whenever any agent or administrator opens any conversation in the affected mailbox. This enables session hijacking (under CSP bypass conditions such as IE11 or module-weakened CSP), phishing overlays that work in all browsers regardless of CSP, and chaining to admin-level actions including email exfiltration via mass assignment and self-propagating worm behavior across all mailboxes. Version 1.8.213 fixes the issue.

Deeper analysisAI

CVE-2026-40568 is a stored cross-site scripting (XSS) vulnerability affecting FreeScout, a free self-hosted help desk and shared mailbox application, in versions prior to 1.8.213. The issue resides in the mailbox signature feature, where the sanitization function Helper::stripDangerousTags() in app/Misc/Helper.php only blocks four HTML tags (script, form, iframe, object) and fails to remove event handler attributes. Consequently, elements like img, svg, and details with attributes such as onerror and onload bypass sanitization during saving via MailboxesController::updateSave() in app/Http/Controllers/MailboxesController.php, get stored in the database, and are rendered unsafely using Blade {!! !!} tags in editor_bottom_toolbar.blade.php and jQuery .html() in main.js, executing the injected code.

Any authenticated user with the delegatable ACCESS_PERM_SIGNATURE (sig) permission on a mailbox, which does not require admin privileges, can exploit this to inject arbitrary HTML and JavaScript into the signature. The payload executes automatically without user interaction whenever an agent or administrator opens any conversation in the affected mailbox. This allows session hijacking under conditions like CSP bypasses (e.g., IE11 or weakened CSP), phishing overlays effective across browsers, and chaining to higher-privilege actions such as email exfiltration through mass assignment or self-propagating worm-like behavior across mailboxes. The vulnerability carries a CVSS v3.1 score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N) and maps to CWE-79 and CWE-116.

The FreeScout security advisory (GHSA-w2f5-6wcv-677r) and release notes for version 1.8.213 detail the fix, implemented via commit 1d83e1cffb0bf8d109625313530b36b0f5910b3f, which addresses the incomplete sanitization. Security practitioners should upgrade to FreeScout 1.8.213 or later to mitigate the issue, as no additional workarounds are specified in the provided references.