{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T22:55:05.657","vulnerabilities":[{"cve":{"id":"CVE-2026-32753","sourceIdentifier":"security-advisories@github.com","published":"2026-03-19T22:16:41.827","lastModified":"2026-03-23T19:25:21.127","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. In versions 1.8.208 and below, bypasses of the attachment view logic and SVG sanitizer make it possible to upload and render an SVG that runs malicious JavaScript. An extension of .png with content type of image/svg+xml is allowed, and a fallback mechanism on invalid XML leads to unsafe sanitization. The application restricts which uploaded files are rendered inline: only files considered \"safe\" are displayed in the browser; others are served with Content-Disposition: attachment. This decision is based on two checks: the file extension (e.g. .png is allowed, while .svg may not be) and the declared Content-Type (e.g. image/* is allowed). By using a filename with an allowed extension (e.g. xss.png) and a Content-Type of image/svg+xml, an attacker can satisfy both checks and cause the server to treat the upload as a safe image and render it inline, even though the body is SVG and can contain scripted behavior. Any authenticated user can set up a specific URL, and whenever another user or administrator visits it, XSS can perform any action on their behalf. This issue has been fixed in version 1.8.209."},{"lang":"es","value":"FreeScout es un help desk gratuito y una bandeja de entrada compartida construido con el framework Laravel de PHP. En las versiones 1.8.208 e inferiores, los bypasses de la lógica de vista de adjuntos y del sanitizador de SVG hacen posible subir y renderizar un SVG que ejecuta JavaScript malicioso. Se permite una extensión de .png con tipo de contenido image/svg+xml, y un mecanismo de fallback en XML inválido conduce a una sanitización insegura. La aplicación restringe qué archivos subidos se renderizan en línea: solo los archivos considerados 'seguros' se muestran en el navegador; otros se sirven con Content-Disposition: attachment. Esta decisión se basa en dos comprobaciones: la extensión del archivo (por ejemplo, se permite .png, mientras que .svg puede no estarlo) y el Content-Type declarado (por ejemplo, se permite image/*). Al usar un nombre de archivo con una extensión permitida (por ejemplo, xss.png) y un Content-Type de image/svg+xml, un atacante puede satisfacer ambas comprobaciones y hacer que el servidor trate la subida como una imagen segura y la renderice en línea, aunque el cuerpo sea SVG y pueda contener comportamiento con scripts. Cualquier usuario autenticado puede configurar una URL específica, y cada vez que otro usuario o administrador la visita, XSS puede realizar cualquier acción en su nombre. Este problema ha sido solucionado en la versión 1.8.209."}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":8.5,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"LOW","userInteraction":"PASSIVE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"NOT_DEFINED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"cvssMetricV31":[{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-80"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*","versionEndExcluding":"1.8.209","matchCriteriaId":"FA447A4F-F76D-4D18-85E7-18B185572113"}]}]}],"references":[{"url":"https://github.com/freescout-help-desk/freescout/commit/cb8618845704aef8f5e4a494c7f605e7bd9fdaeb","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/freescout-help-desk/freescout/releases/tag/1.8.209","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-cvr8-cw5c-5pfw","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}