CVE-2026-41902CRITICAL 9.1EPSS p15.6%

CVE-2026-41902CVE-2026-41902

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.217, the /user-setup/{hash} endpoint accepts a 60-character random invite_hash to set a new user's password. The endpoint performs no expiration check — the hash remains valid indefinitely until consumed. Combined with realistic hash-leakage scenarios (forwarded invite emails, HTTP referrer to external CDNs on the setup page, server-side log exposure, abandoned invite emails in shared inboxes), this enables unauthenticated permanent account takeover months or years after invite issuance. If the leaked invite was sent to an admin, the takeover yields admin access. This issue has been patched in version 1.8.217.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.25% probability of exploitation · percentile 15.6% · 2026-06-19T12:03:05Z
Published2026-05-07
Last modified2026-05-08

Underlying weaknesses· 1

CWE-613

References

  1. https://github.com/freescout-help-desk/freescout/releases/tag/1.8.217
  2. https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-hqff-cwx7-3jpm
  3. https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-hqff-cwx7-3jpm

1

TypeTargetConfidenceTier
WeaknessInsufficient Session Expirationcwe-6130%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-45294
CVE
CVE-2025-48481
CVE
CVE-2026-27637
CVE
CVE-2026-48811
CVE
CVE-2025-48476
CVE
CVE-2026-47123
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.