freescout

v1.8.223 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 4d Communication & Email

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 2 known CVEs

Topics

customer-support help-desk helpdesk helpdesk-ticketing helpscout laravel

+8 more

osticket-alternative php shared-mailboxes support ticketing ticketing-system zendesk zendesk-alternative

Affected surfaces

breaking_upgrade rce_ssrf

ReleasePort's take

Moderate signal

editorial:auto 4d

Version 1.8.223 disables backward compatibility for the old Message‑ID format and patches a prototype pollution flaw in getQueryParam().

Why it matters: The security fixes (prototype pollution, GHSA-8vm3-wwq4-ggfx) affect core request handling; operators should upgrade immediately to mitigate risk.

Summary

AI summary

Fixed two security vulnerabilities, including a prototype pollution issue and disabled backward compatibility for old Message-ID format.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Disables backward compatibility for old Message-ID format on fetch (Security: GHSA-8vm3-wwq4-ggfx) Disables backward compatibility for old Message-ID format on fetch (Security: GHSA-8vm3-wwq4-ggfx) Source: llm_adapter@2026-05-30 Confidence: high	—
Security	Critical	Fixes prototype pollution in getQueryParam() (Security: GHSA-w5fc-8pp3-f755) Fixes prototype pollution in getQueryParam() (Security: GHSA-w5fc-8pp3-f755) Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix
Bugfix	Medium	Improves open tracking hash to avoid conflict with SpamAssassin (#5431) Improves open tracking hash to avoid conflict with SpamAssassin (#5431) Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	Fixes signature when moving conversation between mailboxes (#5419) Fixes signature when moving conversation between mailboxes (#5419) Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	Fixes preg_replace_callback() error in Html2Text (#5433) Fixes preg_replace_callback() error in Html2Text (#5433) Source: llm_adapter@2026-05-30 Confidence: high	—
Bugfix	Medium	Fixes fetching message sent to multiple mailboxes from own mailbox (#5434) Fixes fetching message sent to multiple mailboxes from own mailbox (#5434) Source: llm_adapter@2026-05-30 Confidence: high	—

Full changelog

Fixed

Disabled backward compatibility for old Message-ID format on fetching (Security: GHSA-8vm3-wwq4-ggfx)
Improved open tracking hash not to conflict with SpamAssasin (#5431)
Fixed signature when moving conversation between mailboxes (#5419)
Fixed preg_replace_callback() error in Html2Text (#5433)
Fixed prototype pollution in getQueryParam() (Security: GHSA-w5fc-8pp3-f755)
Fixed fetching message sent to multiple mailboxes from own mailbox (#5434)

Security Fixes

GHSA-8vm3-wwq4-ggfx – Disabled backward compatibility for old Message-ID format on fetching (Security)
GHSA-w5fc-8pp3-f755 – Fixed prototype pollution in getQueryParam()

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track freescout

Get notified when new releases ship.

About freescout

FreeScout — Free self-hosted help desk & shared mailbox (Zendesk / Help Scout alternative)

All releases →

Related context

Related tools

Earlier breaking changes

v1.8.221 Links to attachments uploaded before 2020-03-06 will become unavailable.
v1.8.220 Replies to previously received email notifications will not be sent to customers.