Security

Report a vulnerability

SECURITY.md

Security Policy

Reporting a Vulnerability

Report a security vulnerability in the Application Core: https://github.com/freescout-help-desk/freescout/security/advisories
Report a security vulnerability in a Module: https://freescout.net/contact-us/

Guidelines

One issue per Advisory — do not put several issues into one Advisory, as GitHub will not assign a CVE to such an Advisory.
CVEs are requested after the fix for the vulnerability is released.
If you found an issue related to the APP_LIMIT_USER_CUSTOMER_VISIBILITY=true mode, make sure to read the FAQ.

User invitation hash never expires: permanent unauthenticated account takeover if invite link leaks
GHSA-hqff-cwx7-3jpm published Apr 24, 2026 by freescout-help-desk

Critical
IDOR: PERM_EDIT_USERS allows modifying any user's notification subscriptions (incomplete fix of CVE-2025-48472)
GHSA-f489-qxv6-gvgg published Apr 24, 2026 by freescout-help-desk

Moderate
Stored XSS in mailbox auto-reply: payload reaches every customer's email client (no CSP), bypassing strip_tags validator with mixed text+HTML content
GHSA-q3fh-rj9h-jfrc published Apr 24, 2026 by freescout-help-desk

High
SSRF via Helper::sanitizeRemoteUrl: redirect destination not re-validated, allowing internal HTTP / cloud-metadata access
GHSA-22wf-848c-c856 published Apr 24, 2026 by freescout-help-desk

High
Non-folder conversation queries disclose assigned-only hidden conversations
GHSA-7rh8-9rgv-g35r published Apr 18, 2026 by freescout-help-desk

Moderate
Assigned-only visibility bypass allows editing hidden customer-authored threads
GHSA-4h5p-7f5c-q7gj published Apr 18, 2026 by freescout-help-desk

High
Assigned-only visibility bypass via save_draft allows hidden conversation draft injection
GHSA-vj2p-2789-3747 published Apr 18, 2026 by freescout-help-desk

High
Signature only mailbox permission allows unauthorized mailbox chat setting changes
GHSA-wpv9-c2gv-2j82 published Apr 18, 2026 by freescout-help-desk

Moderate
Client-controlled attachment IDs allow deletion of existing conversation attachments
GHSA-cv36-2j23-x6g3 published Apr 18, 2026 by freescout-help-desk

High
Zip Slip path traversal in module installation allows arbitrary file write leading to RCE
GHSA-r85m-5mc9-cc9w published Apr 18, 2026 by freescout-help-desk

Critical

Learn more about advisories related to freescout-help-desk/freescout in the GitHub Advisory Database