|
1001
|
4.3 |
MEDIUM
Network
|
-
|
-
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. U…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-40590
|
2026-04-23 06:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1002
|
7.1 |
HIGH
Network
|
-
|
-
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the phone-conversation creation flow accepts attacker-controlled `customer_id`, `name`, `to_email`, and `phone`…
New
|
CWE-639
Authorization Bypass Through User-Controlled Key
|
CVE-2026-40591
|
2026-04-23 06:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1003
|
5.9 |
MEDIUM
Network
|
-
|
-
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the undo-send route `GET /conversation/undo-reply/{thread_id}` checks only whether the current user can view th…
New
|
CWE-862
Missing Authorization
|
CVE-2026-40592
|
2026-04-23 06:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1004
|
4.3 |
MEDIUM
Network
|
-
|
-
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the assigned-only restriction is applied to direct conversation view and folder queries, but not to non-folder …
New
|
CWE-200
Information Exposure
|
CVE-2026-41183
|
2026-04-23 06:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1005
|
7.1 |
HIGH
Network
|
-
|
-
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, customer-thread editing is authorized through `ThreadPolicy::edit()`, which checks mailbox access but does not …
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41189
|
2026-04-23 06:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1006
|
7.1 |
HIGH
Network
|
-
|
-
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, when `APP_SHOW_ONLY_ASSIGNED_CONVERSATIONS` is enabled, direct conversation view correctly blocks users who are…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41190
|
2026-04-23 06:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1007
|
7.1 |
HIGH
Network
|
-
|
-
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, `MailboxesController::updateSave()` persists `chat_start_new` outside the allowed-field filter. A user with onl…
New
|
CWE-863
Incorrect Authorization
|
CVE-2026-41191
|
2026-04-23 06:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1008
|
7.1 |
HIGH
Network
|
-
|
-
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in `attachments_all[]…
New
|
CWE-862
Missing Authorization
|
CVE-2026-41192
|
2026-04-23 06:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1009
|
9.1 |
CRITICAL
Network
|
-
|
-
|
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating file paths, allowing an authen…
New
|
CWE-22
Path Traversal
|
CVE-2026-41193
|
2026-04-23 06:10 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
1010
|
4.9 |
MEDIUM
Network
|
-
|
-
|
October is a Content Management System (CMS) and web platform. Prior to 3.7.14 and 4.1.10, a server-side information disclosure vulnerability was identified in the handling of CSS preprocessor files.…
New
|
CWE-184
CWE-863
Incomplete Blacklist
Incorrect Authorization
|
CVE-2026-26067
|
2026-04-23 06:08 |
2026-04-22 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
