CVE-2026-34442 PUBLISHED

FreeScout: Host Header Injection Leading to External Resource Loading and Open Redirect in FreeScout

Assigner: GitHub_M
Reserved: 27.03.2026 Published: 31.03.2026 Updated: 01.04.2026

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version (http://localhost:8080/system/status) allows an attacker to inject an arbitrary domain into generated absolute URLs. This leads to External Resource Loading and Open Redirect behavior. When the application constructs links and assets using the unvalidated Host header, user requests can be redirected to attacker-controlled domains and external resources may be loaded from malicious servers. This issue has been patched in version 1.8.211.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	freescout-help-desk
Product	freescout
Versions	Version < 1.8.211 is affected

References

Problem Types

CWE-20: Improper Input Validation CWE
CWE-601: URL Redirection to Untrusted Site ('Open Redirect') CWE
CWE-829: Inclusion of Functionality from Untrusted Control Sphere CWE