FreeScout Security Vulnerabilities Log

Description	CVE	Affected Versions	Date
Patch Bypass for CVE-2026-27636 via Zero-Width Space Character Leads to Remote Code Execution	CVE-2026-28289	< 1.8.207	2026-02-28
Missing .htaccess in Restricted File Extensions Allows Remote Code Execution on Apache	CVE-2026-27636	< 1.8.206	2026-02-24
Predictable Authentication Token Enables Account Takeover	CVE-2026-27637	< 1.8.206	2026-02-24
Deserialization of untrusted data leads to Remote code execution (RCE) [10]	CVE-2025-58171	< 1.8.186	2025-07-24
Deserialization of untrusted data leads to Remote code execution [8]	CVE-2025-58170	< 1.8.186	2025-07-24
Deserialization of untrusted data leads to Remote code execution [7]	CVE-2025-58169	< 1.8.186	2025-07-24
Deserialization of untrusted data leads to Remote code execution [6]	CVE-2025-58168	< 1.8.186	2025-07-24
Deserialization of untrusted data leads to Remote code execution [5]	CVE-2025-58167	< 1.8.186	2025-07-24
Deserialization of untrusted data leads to Remote code execution [4]	CVE-2025-58166	< 1.8.186	2025-07-24
Deserialization of untrusted data leads to Remote code execution [3]	CVE-2025-58165	< 1.8.186	2025-07-24
Deserialization of untrusted data leads to Remote code execution [2]	CVE-2025-58164	< 1.8.186	2025-07-24
Deserialization of untrusted data leads to Remote code execution (RCE) [1]	CVE-2025-58163	< 1.8.186	2025-07-24
Deserialization of untrusted data leads to Remote code execution (RCE) [9]	CVE-2025-54366	< 1.8.186	2025-07-24
Race condition	CVE-2025-48880	< 1.8.181	2025-05-15
Stored XSS [8]	CVE-2025-48875	< 1.8.180	2025-05-15
Stored XSS [6]	CVE-2025-48488	< 1.8.180	2025-05-15
Stored XSS [4]	CVE-2025-48488	< 1.8.180	2025-05-15
Stored XSS [4]	CVE-2025-48486	< 1.8.180	2025-05-15
Stored XSS [7]	CVE-2025-48489	< 1.8.180	2025-05-15
Stored XSS [6]	CVE-2025-48488	< 1.8.180	2025-05-15
Stored XSS [5]	CVE-2025-48487	< 1.8.180	2025-05-15
Stored XSS [4]	CVE-2025-48486	< 1.8.180	2025-05-15
Stored XSS [3]	CVE-2025-48485	< 1.8.180	2025-05-15
Stored XSS [2]	CVE-2025-48484	< 1.8.178	2025-05-15
Stored XSS leads to CSRF [1]	CVE-2025-48483	< 1.8.180	2025-05-14
Business Logic Errors [7]	CVE-2025-48482	< 1.8.180	2025-05-14
Business Logic Errors [6]	CVE-2025-48481	< 1.8.180	2025-05-14
Business Logic Errors [4]	CVE-2025-48479	< 1.8.180	2025-05-14
Business Logic Errors [5]	CVE-2025-48480	< 1.8.180	2025-05-14
Business Logic Errors [3]	CVE-2025-48478	< 1.8.180	2025-05-14
Business Logic Errors [2]	CVE-2025-48477	< 1.8.180	2025-05-14
Business Logic Errors [1]	CVE-2025-48474	< 1.8.180	2025-05-14
Insufficient authorization [3]	CVE-2025-48474	< 1.8.180	2025-05-14
Insufficient authorization [4]	CVE-2025-48475	< 1.8.179	2025-05-14
Insufficient authorization [1]	CVE-2025-48473	< 1.8.179	2025-05-14
Insufficient authorization [1]	CVE-2025-48472	< 1.8.179	2025-05-14
Arbitrary file upload	CVE-2025-48471	< 1.8.179	2025-05-14
Remote Code Execution (RCE)	CVE-2025-48390	< 1.8.178	2025-05-14
Deserialization of untrusted data	CVE-2025-48389	< 1.8.178	2025-05-14
Insufficient Protection Against CRLF-injection	CVE-2025-48388	< 1.8.178	2025-05-14
Prototype Pollution in getQueryParam Function (URL Query Parser)	CVE-2024-34698	< 1.8.139	2024-05-03
Stored HTML Injection in Editing Received Emails	CVE-2024-34697	< 1.8.139	2024-05-02
Stored XSS to Privilege Escalation After CSP Bypass	CVE-2024-29184	< 1.8.128	2024-03-15
OS Command Injection	CVE-2024-29185	< 1.8.128	2024-03-15
SMTP Mail Credentials Disclosed in Error Log	CVE-2024-28186	< 1.8.124	2024-03-04
Unrestricted File Upload Led to Cross-Site Scripting	CVE-2024-1932	< 1.8.101	2024-02-28