CVE-2026-41904: FreeScout XSS Delivers Payloads via Auto-Reply

/HIGH /CVSS 7.6/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
CVE-2026-41904: FreeScout XSS Delivers Payloads via Auto-Reply

The National Vulnerability Database has disclosed CVE-2026-41904, a high-severity cross-site scripting (XSS) vulnerability in FreeScout, a PHP-based help desk and shared inbox solution. Prior to version 1.8.217, an authenticated user with updateAutoReply permissions could embed an XSS payload within the mailbox’s auto-reply message. This payload would then execute unescaped in the context of any customer’s webmail or mail client upon receiving an auto-reply email.

This is a classic client-side attack vector, but its delivery mechanism via email makes it particularly insidious. Email clients typically lack Content Security Policy (CSP) enforcement, allowing the injected script to run unimpeded. The National Vulnerability Database assigns a CVSS score of 7.6 (High) with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N, highlighting the network vector, low attack complexity, and high impact on confidentiality.

Attackers leveraging this vulnerability could steal session cookies, deface the customer’s webmail interface, or phish for credentials directly within the email client. The key here is the trusted channel: customers expect legitimate auto-replies. This trust is weaponized. Organizations using FreeScout must patch to version 1.8.217 immediately to mitigate this risk and prevent potential compromise of customer accounts.

What This Means For You

  • If your organization uses FreeScout, prioritize patching to version 1.8.217 without delay. This XSS vulnerability allows an attacker to compromise customer accounts via poisoned auto-reply emails. Audit user permissions for `updateAutoReply` and review any custom auto-reply messages for suspicious code. This is not theoretical; it's a direct path to customer data compromise.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1566.002 Phishing: Spearphishing Attachment Initial Access T1059.001 Command and Scripting Interpreter: PowerShell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-41904: FreeScout Mailbox Auto-Reply XSS Payload

Sigma YAML — free preview 
title: CVE-2026-41904: FreeScout Mailbox Auto-Reply XSS Payload
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
  Detects the specific XSS payload being stored in the FreeScout auto-reply message configuration. This rule targets the vulnerability CVE-2026-41904 where an attacker with updateAutoReply permission can inject a script into the auto-reply message, which is then rendered unescaped in emails sent to customers.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41904/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: email
detection:
  selection:
      uri|contains:
          - '/mail/autoresponder'
      cs-method:
          - 'POST'
      sc-status:
          - '200'
      cs-uri-query|contains:
          - 'message=<script>alert(document.domain)</script>'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41904 XSS FreeScout < 1.8.217
CVE-2026-41904 XSS Vulnerable component: mailbox auto-reply message
CVE-2026-41904 XSS Affected permission: updateAutoReply

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8098: SQL Injection in code-projects Feedback System 1.0

CVE-2026-8098 — A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8097 — CodeAstro Online Classroom SQL Injection

CVE-2026-8097 — A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-42449: n8n-MCP SSRF Bypasses IPv6 Checks

CVE-2026-42449 — n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /8.5 /⚑ 5 IOCs /⚙ 4 Sigma