Skip to content

Release history

freescout releases

FreeScout — Free self-hosted help desk & shared mailbox (Zendesk / Help Scout alternative)

Back to tool Latest release

All releases

23 shown

Upgrade now
1.8.223 Security relevant
Breaking upgrade RCE / SSRF

Security fixes

Open
No immediate action
1.8.222 Bug fix

Signature mailbox fix + auto‑reply routing

Open
Security behavior changed
1.8.221 Breaking risk
Auth RBAC Breaking upgrade

Attachment link unavailability

Open
Security behavior changed
1.8.220 Breaking risk
Auth

Email reply suppression

Open
1.8.219 Mixed patches CVE-2018-15133
Security fixes
  • dep: GHSA-qjr9-6v9q-3r72 — hash added to open tracking URL
  • GHSA-jvmv-2qcp-7855 — Forgot Password form now throttled and returns identical response regardless of email existence
Notable features
  • Catalan translation added
Full changelog

Added

  • Added Catalan tranlation (#5376)
  • Show warning message in the interface when browser does not support Content Security Policy (CSP).

Fixed

  • Fixed an error on PHP 7.1 (#5377)
  • Added table prefix to raw DB queries (#5385)
  • Added hash to open tracking URL (Security: GHSA-qjr9-6v9q-3r72)
  • Added throttle to the Forgot Password form and return identical response regardless of whether the email exists (Security: GHSA-jvmv-2qcp-7855)
  • Fixed error tracking on creating user profile from invite link (#5390)
View release on GitHub
1.8.218 Breaking risk
Breaking changes
  • Require DB Password in tools.php
Security fixes
  • GHSA-jx2w-fhmw-rg39
  • GHSA-qrr6-mg7r-m243
Notable features
  • CIDR support in APP_REMOTE_HOST_WHITE_LIST
  • Email decoding improvements
Full changelog

Added

  • Added indexes to several tables (#5328)

Fixed

  • Fixed decoding ISO-2022-JP emails (#5356)
  • Require DB Password and check PHP Path direcotory in tools.php (Security: GHSA-jx2w-fhmw-rg39)
  • Patched PHPUnit (Security: GHSA-qrr6-mg7r-m243)
  • Fixed Helper::linkify() for emails (#5362)
  • Do not allow to merge convesation with itself.
  • Fixed linking messages into conversations (#5372)
  • Fixed fetching emails into multiple mailboxes (#5368)

Changed

  • Do not log "Untrusted host" error (#5361)
  • Allow to use CIDR in APP_REMOTE_HOST_WHITE_LIST (#5363)
  • Deprecated use_new_pop3_lib config parameter.
View release on GitHub
1.8.217 Security relevant
Security fixes
  • Fixed path traversal vulnerability in Zipper (#5354)
  • Fixed redirect validation in Helper::sanitizeRemoteUrl() (GHSA-22wf-848c-c856)
  • Improved auto-reply message sanitization (GHSA-q3fh-rj9h-jfrc)
Full changelog

Fixed

  • Fixed On-Off switch on RTL (#5352)
  • Fixed "Zipper: Path traversal detected" error (#5354)
  • Fixed redirect check in Helper::sanitizeRemoteUrl() (Security: GHSA-22wf-848c-c856)
  • Improved sanitizing Auto Reply message (Security: GHSA-q3fh-rj9h-jfrc)
  • Fixed permissions check for user Notifications settings (Security: GHSA-f489-qxv6-gvgg)
  • Make user invite link expirable after 7 days (Security: GHSA-hqff-cwx7-3jpm)
View release on GitHub
1.8.215 Security relevant
Security fixes
  • File path validation in Zipper before extraction (GHSA-r85m-5mc9-cc9w)
  • CSRF token addition to OAuth Disconnect link (GHSA-6rvw-fhqx-cfv5)
  • Attachment removal sanitization (GHSA-cv36-2j23-x6g3)
Full changelog

Fixed

  • Check file paths in Zipper before extracting files (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-r85m-5mc9-cc9w)
  • Add csrf_token to OAuth Disconnect link (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6rvw-fhqx-cfv5)
  • Sanitize $attachments_to_remove when deleting attachments (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-cv36-2j23-x6g3)
  • Check permissions when setting chat_start_new for a mailbox (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wpv9-c2gv-2j82)
  • Check permissions for assigned-only users when editing drafts (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-vj2p-2789-3747)
  • Check permissions when assigned-only user is editing customer message (Security:https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-4h5p-7f5c-q7gj)
  • Fixed compact() - Undefined variable operator (#5308)
  • For assigned-only users show only assigned conversations in the Search (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-7rh8-9rgv-g35r)
  • Make conversation Unassigned when moving it if its assignee does not have access to the target mailbox (#5333)
  • Fix error on creating a user (#5337)
  • Fixed 403 error in open tracking pixel (#5334)
  • Fixed saving Sending and Fetching passwords (#5339)
View release on GitHub
1.8.214 Security relevant
Security fixes
  • Email movement prevention from inaccessible mailboxes (GHSA-mv55-3mgv-fxwr)
  • Customer accessibility check when changing conversation customer (GHSA-wjw4-8xg6-342m)
  • Customer visibility check when creating Phone conversation (GHSA-9ff4-mmhv-x6jp)
Full changelog

Fixed

  • Fixed Browser check (#5331)
  • Improved joining customer messages into conversations on Fetching (#5308)
  • Do not allow to move emails from customers from inaccessible mailboxes (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mv55-3mgv-fxwr)
  • Check if customer is accessible when changing conversation customer (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-wjw4-8xg6-342m)
  • Check customer visibility when creating a customer within Change Customer dialog (Security)
  • Check customer visibility when creating Phone conversation (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-9ff4-mmhv-x6jp)
  • Check thread created_by_user_id when Undoing sending (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-674v-r6xp-mvp6)
View release on GitHub
1.8.213 Breaking risk
Breaking changes
  • Cron job URL format changed - updated URL required after installation
Security fixes
  • Attachment token generation algorithm vulnerability (GHSA-2783-wxmm-wmwr)
  • Customer visibility parameter in load_customer_info Ajax action (GHSA-w77q-wjfp-c822)
  • User name tag stripping for security (GHSA-q8v4-v62h-5528)
Notable features
  • Added mailbox.sidebar.buttons hook
Full changelog

If you are running cron jobs via special URL make sure to use the updated URL after installing this release.

Added

  • Added mailbox.sidebar.buttons hook (#5316)

Fixed

  • Change attachment token generation algorythm (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-2783-wxmm-wmwr)
  • Take into account limit_user_customer_visibility parameter in load_customer_info Ajax action (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w77q-wjfp-c822)
  • Fixed "Call to a member function close()" on string in Zipper.
  • Strip tags from name when creating a user (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-q8v4-v62h-5528)
  • Escape user name in flash message when deleting a user (Security)
  • Strip also style tags in Helper::stripDangerousTags() (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fh99-wr77-pxq3)
  • Apply safe_raw_html() function to {!! ... !!} (Security)
  • Improved joining customer messages into conversations on Fetching (#5308)
  • Improve Helper::getWebCronHash() (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5jw5-q9j7-4rxc)
  • Escape customer name in the reply_fancy email template (Security)
  • Limit fields which can be populated on mailbox Fetching and Sending settings pages (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-hmqm-33wp-858j)
  • Require mod_headers (if Apache is used) to download files from /storage/uploads/.
  • Added CheckBrowser middleware ensuring that browser supports CSP (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-w2f5-6wcv-677r)
  • Validate host in mail Fetching and Sending settings (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-fg98-rgx6-8x4g)
  • Send emails to all recipients when forwarding to multiple recipients (#5322)
  • Escape values in Helper::linkify() (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-49pm-xwqj-vwjp)

Changed

  • Check attachment name in the URL when downloading attachments.
View release on GitHub
1.8.212 Security relevant
Security fixes
  • Limit user customer visibility in customer merge (GHSA-j6v9-22vq-53vh)
  • Conversation ID validation on thread read (GHSA-873c-r7v5-g98v)
Full changelog

Fixed

  • Take limit_user_customer_visibility parameter into account when merging customers (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-j6v9-22vq-53vh)
  • Check if conversation IDs match when marking thread as read (Security: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-873c-r7v5-g98v)
  • Fixed fetching emails with deeply nested HTML (#5304)
  • Fixed "Passing null to parameter" error in Html2Text (#5306)
  • Fixed "Incomplete object" error on Status page (#5307)
View release on GitHub
1.8.211 Security relevant
Breaking changes
  • Removed IMAP extension from required PHP extensions
Security fixes
  • IP mask validation fix (GHSA-c9v3-4c59-x5q2)
  • Host header injection protection with TrustHosts middleware (GHSA-822g-7rw5-53xj)
Notable features
  • Search conversations by #number
View release on GitHub
1.8.209 Security relevant
Security fixes
  • Customer visibility authorization check (GHSA-wxg5-g9vv-v8g9)
  • SVG sanitization with comment handling (GHSA-cvr8-cw5c-5pfw)
  • Sanitized thread body inclusion (GHSA-56h2-5556-r6mg)
Notable features
  • OAuth token encryption
  • License key encryption
View release on GitHub
1.8.208 Security relevant
Security fixes
  • CVE-2025-64500 (Symfony PATH_INFO authorization bypass)
  • CVE-2026-24765 (PHPUnit unsafe deserialization)
  • CVE-2026-25129 (Symfony argument escaping on Windows)
View release on GitHub
1.8.207 New feature
Security fixes
  • File name sanitization improvement (GHSA-5gpc-65p8-ffwp)
Notable features
  • Google Workspace OAuth email integration
View release on GitHub
1.8.206 Security relevant
Breaking changes
  • Removed role from fillable User model fields
Security fixes
  • TokenAuth middleware algorithm improvement (GHSA-6gcm-v8xf-j9v9)
  • Extended file type restrictions (GHSA-mw88-x7j3-74vc)
View release on GitHub
1.8.205 Bug fix

Fixed customer name display after recipient changes, corrected CC/BCC visibility in drafts, improved folder styling, and set conversation subject limits.

View release on GitHub
1.8.204 Maintenance
Breaking changes
  • Removed Australia/Queensland timezone
  • POP3 implementation switched from IMAP extension to PHP library
View release on GitHub
1.8.203 Bug fix

Fixed UTF-8 encoding error on PostgreSQL, compacted customer email display in lists, and reverted Gmail history collapse to fix reply separation.

View release on GitHub
1.8.202 New feature
Notable features
  • command.after_app_update hook
  • Customer email display in conversation lists
View release on GitHub
1.8.201 Bug fix

Fixed email routing when customer is changed, improved Gmail email history display, and enhanced PHP 8.5 compatibility.

View release on GitHub

Beta — feedback welcome: [email protected]