FreeScout CVE-2026-41905: Server-Side Request Forgery via Redirect Logic

/HIGH /CVSS 7.7/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-918
FreeScout CVE-2026-41905: Server-Side Request Forgery via Redirect Logic

The National Vulnerability Database has disclosed CVE-2026-41905, a high-severity Server-Side Request Forgery (SSRF) vulnerability affecting FreeScout, a PHP-based help desk solution. Prior to version 1.8.217, the Helper::sanitizeRemoteUrl() function in app/Misc/Helper.php mishandles HTTP redirects. While curlGetLastRedirectedUrl() correctly follows redirects, the subsequent validation re-checks the original URL, not the final destination.

This flaw allows an attacker to bypass initial host checks by supplying a URL that initially passes validation but then redirects to an internal HTTP service. Such services could include cloud metadata endpoints, internal APIs, or resources within RFC1918 private IP ranges that would otherwise be inaccessible. The National Vulnerability Database assigns this a CVSS score of 7.7 (HIGH), with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, highlighting its network accessibility and high impact on confidentiality.

Attackers can leverage this to probe internal networks, gather sensitive configuration data, or potentially interact with internal services, escalating what appears to be a minor URL validation bypass into a significant information disclosure risk. The vulnerability is categorized under CWE-918 (Server-Side Request Forgery). FreeScout has patched this issue in version 1.8.217, emphasizing the need for immediate upgrades.

What This Means For You

  • If your organization uses FreeScout, you are exposed to potential internal network reconnaissance and data exfiltration through SSRF. Attackers will chain this with other findings. Patch to FreeScout version 1.8.217 immediately. Review FreeScout logs for any unusual outbound HTTP requests or connections to internal IP ranges, which could indicate exploitation attempts.

Related ATT&CK Techniques

T1071.001 Web Protocols Lateral Movement T1557.001 Man-in-the-Middle Lateral Movement T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

FreeScout CVE-2026-41905 SSRF via Redirect Logic

Sigma YAML — free preview 
title: FreeScout CVE-2026-41905 SSRF via Redirect Logic
id: scw-2026-05-07-ai-1
status: experimental
level: high
description: |
  Detects requests to the FreeScout helper.php script with a 'remote_url' parameter, which is indicative of the SSRF vulnerability (CVE-2026-41905). This vulnerability allows attackers to force the server to make requests to arbitrary URLs, potentially accessing internal services or cloud metadata.
author: SCW Feed Engine (AI-generated)
date: 2026-05-07
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-41905/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/app/misc/helper.php'
      cs-uri-query|contains:
          - 'remote_url='
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-41905 SSRF FreeScout < 1.8.217
CVE-2026-41905 SSRF app/Misc/Helper.php::Helper::sanitizeRemoteUrl()
CVE-2026-41905 SSRF app/Misc/Helper.php::curlGetLastRedirectedUrl()

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 07, 2026 at 22:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-8098: SQL Injection in code-projects Feedback System 1.0

CVE-2026-8098 — A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of...

vulnerabilityCVEhigh-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-8097 — CodeAstro Online Classroom SQL Injection

CVE-2026-8097 — A security flaw has been discovered in CodeAstro Online Classroom 1.0. This vulnerability affects unknown code of the file /askquery.php. The manipulation of...

vulnerabilityCVEmedium-severitysql-injectioncwe-74cwe-89
/SCW Vulnerability Desk /MEDIUM /6.3 /⚑ 3 IOCs /⚙ 3 Sigma

CVE-2026-42449: n8n-MCP SSRF Bypasses IPv6 Checks

CVE-2026-42449 — n8n-MCP is an MCP server that provides AI assistants access to n8n node documentation, properties, and operations. In versions 2.47.4 through 2.47.13, the...

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /8.5 /⚑ 5 IOCs /⚙ 4 Sigma