Customer Service

In Helpy version 2.8.0 a medium severity vulnerability CVE-2026-40229 was detected. This vulnerability allows attackers to perform stored cross-site scripting (XSS) by injecting arbitrary HTML into the account name field, which is then rendered unescaped in post author displays across public forum threads, admin ticket views, and HTML notification emails. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40229.

In Helpy version 2.8.0 a medium severity vulnerability CVE-2026-40230 was detected. This vulnerability allows authenticated attackers with admin or agent editor privileges to inject and persist arbitrary HTML or JavaScript in the knowledge base document body field, which is then executed during rendering due to improper sanitization. Currently, there is no fix version for this issue. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40230.

In FreeScout versions prior to 1.8.213 a medium severity vulnerability CVE-2026-40565 was detected. This vulnerability allows attackers to inject arbitrary HTML attributes by sending emails with specially crafted plain-text URLs containing unescaped double-quote characters, which are improperly converted into HTML anchor tags. To address this issue, users should upgrade FreeScout to version 1.8.213. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40565.

In FreeScout versions prior to 1.8.213 a critical severity vulnerability CVE-2026-40498 was detected. This vulnerability allows unauthenticated attackers to access restricted diagnostic and system tools using an exposed static MD5 hash, leading to sensitive information disclosure (such as full path and process IDs) and resource exhaustion (DoS) through the repeated triggering of background tasks. To address this issue, users should upgrade FreeScout to version 1.8.213. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-40498.

In FreeScout versions prior to 1.8.206 a critical severity vulnerability CVE-2026-27637 was detected. This vulnerability allows attackers to compute predictable authentication tokens using `MD5(user_id + created_at + APP_KEY)`, enabling full account takeover, including administrative accounts, without requiring a password. To address this issue, users should upgrade FreeScout to version 1.8.206 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27637.

In FreeScout versions prior to 1.8.206 a critical severity vulnerability CVE-2026-27636 was detected. This vulnerability allows authenticated users to upload `.htaccess` files on Apache servers with `AllowOverride All`, bypassing file upload restrictions and enabling remote code execution. To address this issue, users should upgrade FreeScout to version 1.8.206 or later. For more details, visit https://nvd.nist.gov/vuln/detail/CVE-2026-27636.