FreeScout: User Account Enumeration via Password Reset Response Differentiation

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.

Basic Information

ID CVE-2026-45294

Source GitHub_M

Published May 29, 2026 at 19:52

Affected Product

Vendor freescout-help-desk

Product freescout

Version < 1.8.219

Affected Versions freescout-help-desk freescout < 1.8.219

CWE Classification

CWE-203 CWE-204

References

github.com /freescout-help-desk/freescout/security/advisories/GHSA-jvmv-2qcp-7855

{
    "lastseen": "",
    "description": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to 1.8.219, the password reset endpoint returns visually distinct responses depending on whether the submitted email address belongs to an existing user account, allowing unauthenticated attackers to enumerate valid helpdesk agent email addresses. This vulnerability is fixed in 1.8.219.",
    "published": "2026-05-29T19:52:22.535Z",
    "modified": "2026-05-29T19:52:22.535Z",
    "type": "cve",
    "title": "FreeScout: User Account Enumeration via Password Reset Response Differentiation",
    "source": "GitHub_M",
    "references": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-jvmv-2qcp-7855",
    "id": "CVE-2026-45294",
    "bulletinFamily": "",
    "cwe": [
        "CWE-203",
        "CWE-204"
    ],
    "cvelist": null,
    "sourceData": "freescout-help-desk freescout < 1.8.219",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "freescout",
    "version": "< 1.8.219",
    "vendor": "freescout-help-desk",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

FreeScout: User Account Enumeration via Password Reset Response Differentiation_CVE-2026-45294