FreeScout XSS Flaw Allows Session Hijacking and Data Exfiltration

The National Vulnerability Database has identified a critical stored Cross-Site Scripting (XSS) vulnerability, CVE-2026-40568, affecting FreeScout versions prior to 1.8.213. The issue stems from an inadequate sanitization function that fails to block malicious HTML tags and event handler attributes, allowing authenticated users with signature permissions to inject arbitrary JavaScript. This vulnerability is particularly concerning as the injected code executes automatically when any user, including administrators, opens a conversation in an affected mailbox.

The implications for defenders are significant. Attackers can leverage this flaw for session hijacking, bypassing Content Security Policy (CSP) in some environments, or deploying phishing overlays. More alarmingly, it can be chained with other vulnerabilities, such as mass assignment, to exfiltrate sensitive email data or even propagate malicious behavior across all mailboxes within an organization. The National Vulnerability Database rates this flaw at CVSS 8.5 (HIGH).

Organizations running FreeScout must update to version 1.8.213 or later immediately. Administrators should also review user permissions, particularly the ACCESS_PERM_SIGNATURE privilege, and consider revoking it for users who do not strictly require it. Auditing mailbox signature content for suspicious HTML or JavaScript is also a prudent step.