CVE-2026-40590

Published: Apr 21, 2026

Modified: Apr 21, 2026

PUBLISHED

CVSS v3.1

4.3

MEDIUM

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.214, the Change Customer modal exposes a “Create a new customer” flow via POST /customers/ajax with action=create. Under limited visibility, the endpoint drops unique-email validation. If the supplied email already belongs to a hidden customer, Customer::create() reuses that hidden customer object and fills empty profile fields from attacker-controlled input. Version 1.8.214 fixes the vulnerability.

Vendor	Product	Versions
freescout-help-desk	freescout	affected `< 1.8.214`

Weaknesses (CWE)

CWE-639

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

References

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wjw4-8xg6-342m

x_refsource_CONFIRM

https://github.com/freescout-help-desk/freescout/commit/b3d7611e6e173ed8a5e525b791deb6b32cf1ce62

x_refsource_MISC

https://github.com/freescout-help-desk/freescout/releases/tag/1.8.214

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-40590

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References