CVE-2026-32754 - Vulnerability Analysis
CriticalCVSS: 9.3Last Updated: March 19, 2026
FreeScout - Stored XSS
Overview
FreeScout <= 1.8.208 contains a stored XSS caused by unsanitized email bodies stored in the database and rendered unescaped in email notifications, letting unauthenticated attackers execute scripts when emails are viewed.
Severity & Score
Impact
Unauthenticated attackers can execute scripts in agents' or admins' email clients, enabling phishing, session hijacking, and account takeover.
Mitigation
Update to version 1.8.209 or later.
References
Social Media Activity(2 posts)
š“ CVE-2026-32754 - Critical (9.3) FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in... š https://www.thehackerwire.com/vulnerability/CVE-2026-32754/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-32754 - Critical (9.3) FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Versions 1.8.208 and below are vulnerable to Stored Cross-Site Scripting (XSS) through FreeScout's email notification templates. Incoming email bodies are stored in... š https://www.thehackerwire.com/vulnerability/CVE-2026-32754/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-32754
- Severity
- Critical
- CVSS Score
- 9.3
- Type
- stored_xss
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N