CVE-2026-34442

Exploit

EPSS 0.22%
Veröffentlicht 31.03.2026 21:28:19
Zuletzt bearbeitet 01.04.2026 19:49:03
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

FreeScout: Host Header Injection Leading to External Resource Loading and Open Redirect in FreeScout

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version (http://localhost:8080/system/status) allows an attacker to inject an arbitrary domain into generated absolute URLs. This leads to External Resource Loading and Open Redirect behavior. When the application constructs links and assets using the unvalidated Host header, user requests can be redirected to attacker-controlled domains and external resources may be loaded from malicious servers. This issue has been patched in version 1.8.211.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 3 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Freescout ≫ Freescout Version < 1.8.211

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.22%	0.122

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	5.4	2.8	2.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

CWE-829 Inclusion of Functionality from Untrusted Control Sphere

The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-822g-7rw5-53xj

Vendor Advisory

Exploit

https://github.com/freescout-help-desk/freescout/commit/889d75c8e3c15e6a7ddb6a4d4f65cc0379c29213

Patch

https://github.com/freescout-help-desk/freescout/releases/tag/1.8.211

Release Notes

https://nvd.nist.gov/vuln/detail/CVE-2026-34442

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34442

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34442

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34442