CVE-2025-48389

HIGH

FreeScout <1.8.178 - Deserialization

Title source: llm

Description

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to deserialization of untrusted data due to insufficient validation. Through the set function, a string with a serialized object can be passed, and when getting an option through the get method, deserialization will occur, which will allow arbitrary code execution This issue has been patched in version 1.8.178.

References (2)

Scores

CVSS v3 7.2
EPSS 0.0265
EPSS Percentile 85.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Classification

CWE
CWE-502
Status published

Affected Products (1)

freescout/freescout < 1.8.178

Timeline

Published May 29, 2025
Tracked Since Feb 18, 2026