freescout

v1.8.221 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 11d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

customer-support help-desk helpdesk helpdesk-ticketing helpscout laravel

+8 more

osticket-alternative php shared-mailboxes support ticketing ticketing-system zendesk zendesk-alternative

Affected surfaces

auth rbac breaking_upgrade

ReleasePort's take

Light signal

editorial:auto 11d

Links to attachments uploaded before 2020‑03‑06 will become unavailable starting with version 1.8.221.

Why it matters: If your system references pre‑2020‑03‑06 attachment links, they will stop working after the May 23 2026 release; update any such URLs before then.

Summary

AI summary

Links to pre‑2020‑03‑06 uploaded attachments will become unavailable.

Changes in this release

Type	Severity	Summary	CVE
Security	Medium	Improved permissions check when deleting notes. Improved permissions check when deleting notes. Source: llm_adapter@2026-05-23 Confidence: high	—
Security	Medium	Improved permissions check when editing messages. Improved permissions check when editing messages. Source: llm_adapter@2026-05-23 Confidence: high	—
Breaking	Medium	Links to attachments uploaded before 2020-03-06 will become unavailable. Links to attachments uploaded before 2020-03-06 will become unavailable. Source: llm_adapter@2026-05-23 Confidence: low	—
Performance	Medium	Optimized Helper::stripDangerousTags() to avoid pcre.backtrack_limit hit. Optimized Helper::stripDangerousTags() to avoid pcre.backtrack_limit hit. Source: llm_adapter@2026-05-23 Confidence: high	—
Deprecation	Medium	Deprecated links to attachments without a token. Deprecated links to attachments without a token. Source: llm_adapter@2026-05-23 Confidence: low	—
Bugfix	Medium	Fixed signature when moving conversations between mailboxes. Fixed signature when moving conversations between mailboxes. Source: llm_adapter@2026-05-23 Confidence: high	—
Bugfix	Medium	Show detailed error on uploading attachments. Show detailed error on uploading attachments. Source: llm_adapter@2026-05-23 Confidence: high	—
Refactor	Medium	Updated module activation logic. Updated module activation logic. Source: llm_adapter@2026-05-23 Confidence: low	—

Full changelog

Links to attachments uploaded before the FreeScout version of 2020-03-06 will become unavailable. This is a breaking change.

Fixed

Improved permissions check when deleting notes (Security: GHSA-9vx8-gx3p-9mh6)
Improved permissions check when editing messages (GHSA-3w38-h42v-3h6w)
Fixed signature when moving conversations between mailboxes (#5419)
Optimized Helper::stripDangerousTags() to avoid pcre.backtrack_limit hit (#5424)
Show detailed error on uploading attachments (#5426)

Changed

Deprecated links to attachments without a token (Security: GHSA-wg74-ww4w-2qpc)
Updated module activation logic.

Breaking Changes

Links to attachments uploaded before 2020-03-06 will become unavailable

Security Fixes

GHSA-9vx8-gx3p-9mh6 — improved permissions check when deleting notes
GHSA-3w38-h42v-3h6w — improved permissions check when editing messages
dep: GHSA-wg74-ww4w-2qpc — deprecated links to attachments without a token

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track freescout

Get notified when new releases ship.

About freescout

FreeScout — Free self-hosted help desk & shared mailbox (Zendesk / Help Scout alternative)

All releases →

Related context

Related tools

Earlier breaking changes

v1.8.220 Replies to previously received email notifications will not be sent to customers.