CVE-2026-34443

low-risk
Published 2026-03-31

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, checkIpByMask() in app/Misc/Helper.php checks whether the input IP contains a / character. Plain IP addresses never contain /, so the function always returns false without checking any CIDR ranges. The entire 10.0.0.0/8 and 172.16.0.0/12 private ranges are unprotected. This issue has been patched in version 1.8.211.

Do I need to act?

-
0.04% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.3/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Freescout

References (3)

Patch https://github.com/freescout-help-desk/freescout/commit/ca6d5bb572d3e8f52a0e654a...
Release Notes https://github.com/freescout-help-desk/freescout/releases/tag/1.8.211
Vendor Advisory https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-c9v3-4...
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal