CVE-2026-34442

5.4 MEDIUM
Published: March 31, 2026 Modified: April 01, 2026
View on NVD

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version (http://localhost:8080/system/status) allows an attacker to inject an arbitrary domain into generated absolute URLs. This leads to External Resource Loading and Open Redirect behavior. When the application constructs links and assets using the unvalidated Host header, user requests can be redirected to attacker-controlled domains and external resources may be loaded from malicious servers. This issue has been patched in version 1.8.211.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/freescout-help-desk/freescout/commit/889d75c8e3c15e6a7ddb6a4d4f65cc0379c29213
Source: security-advisories@github.com
Patch
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.211
Source: security-advisories@github.com
Release Notes
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-822g-7rw5-53xj
Source: security-advisories@github.com
Exploit Vendor Advisory
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-822g-7rw5-53xj
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Exploit Vendor Advisory

4 reference(s) from NVD

Quick Stats

CVSS v3 Score
5.4 / 10.0
EPSS (Exploit Probability)
0.1%
23th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-20 CWE-601 CWE-829 CWE-601

Affected Vendors

freescout

Related CVEs

CVE-2026-5965 9.8
CVE-2026-6675 5.3
CVE-2026-6674 6.5
CVE-2026-40497 8.1
CVE-2026-6058 4.5