Fixed

• Added throttling and authentication in tools.php (Security: GHSA-w2p9-3666-vw9j)
• Fixed color of texts in logs table (#5442)
• Patched symfony/routing (Security: CVE-2026-45065)
• Upgraded symfony/polyfill-intl-idn to 1.38.1 (Security: CVE-2026-46644)
• Fixed path traversal in Log Viewer (Security: GHSA-9ph7-f3hc-95gg)
• Moved option to UI: "User can see only assigned conversations" (#701)
• Improved Helper::stripDangerousTags() to strip nested tags (Security: GHSA-jpq8-j69f-mj98)
• Fixed saving mailbox signature by non-admin users (#5443)

Fixed

• Added throttling to file upload routes (Security: GHSA-ph4f-2jhx-q76w)
• Fixed user-setup empty invite_hash issue (Security: GHSA-jqj5-r72v-v29g)
• Improved downloading log files logic (Security: GHSA-858x-8f77-9vc5)
• Restricted .pht files upload (Security: GHSA-27vp-fpg8-j8wv)
• Improved sanitizing customer Websites field.
• Enabled browser check - now it will be impossible to access FreeScout instance from a browser which does not support CSP.

Fixed

• Disabled backward compatibility for old Message-ID format on fetching (Security: GHSA-8vm3-wwq4-ggfx)
• Improved open tracking hash not to conflict with SpamAssasin (#5431)
• Fixed signature when moving conversation between mailboxes (#5419)
• Fixed preg_replace_callback() error in Html2Text (#5433)
• Fixed prototype pollution in getQueryParam() (Security: GHSA-w5fc-8pp3-f755)
• Fixed fetching message sent to multiple mailboxes from own mailbox (#5434)

Added

• Updated German translation.

Fixed

• Fixed undefined $signature_mailbox error on sending (#5427)
• Send Auto Reply from the alias the customer emailed to (#5428)

Links to attachments uploaded before the FreeScout version of 2020-03-06 will become unavailable. This is a breaking change.

Fixed

• Improved permissions check when deleting notes (Security: GHSA-9vx8-gx3p-9mh6)
• Improved permissions check when editing messages (Security: GHSA-3w38-h42v-3h6w)
• Fixed signature when moving conversations between mailboxes (#5419)
• Optimized Helper::stripDangerousTags() to avoid pcre.backtrack_limit hit (#5424)
• Show detailed error on uploading attachments (#5426)

Changed

• Deprecated links to attachments without a token (Security: GHSA-wg74-ww4w-2qpc)
• Updated module activation logic.

After installing this releases replies sent by agents to the previously received email notifications will not be sent to customers. Only replies to the newly received email notifications will be sent. This is a breaking change.

Added

• Add configurable threshold to suppress transient fetch errors in Logs Monitoring (#5399)
• Clear JS and CSS builds when clearing cache.

Fixed

• Check hash in replies to user email notifications (Security: GHSA-6r38-6mcf-2ww3)
• Fixed checking trusted hosts during installation.

Changed

• Activate the module right after activating the license.

Added

• Added Catalan tranlation (#5376)
• Show warning message in the interface when browser does not support Content Security Policy (CSP).

Fixed

• Fixed an error on PHP 7.1 (#5377)
• Added table prefix to raw DB queries (#5385)
• Added hash to open tracking URL (Security: GHSA-qjr9-6v9q-3r72)
• Added throttle to the Forgot Password form and return identical response regardless of whether the email exists (Security: GHSA-jvmv-2qcp-7855)
• Fixed error tracking on creating user profile from invite link (#5390)

Added

• Added indexes to several tables (#5328)

Fixed

• Fixed decoding ISO-2022-JP emails (#5356)
• Require DB Password and check PHP Path direcotory in tools.php (Security: GHSA-jx2w-fhmw-rg39)
• Patched PHPUnit (Security: GHSA-qrr6-mg7r-m243)
• Fixed Helper::linkify() for emails (#5362)
• Do not allow to merge convesation with itself.
• Fixed linking messages into conversations (#5372)
• Fixed fetching emails into multiple mailboxes (#5368)

Changed

• Do not log "Untrusted host" error (#5361)
• Allow to use CIDR in APP_REMOTE_HOST_WHITE_LIST (#5363)
• Deprecated use_new_pop3_lib config parameter.

Fixed

• Fixed On-Off switch on RTL (#5352)
• Fixed "Zipper: Path traversal detected" error (#5354)
• Fixed redirect check in Helper::sanitizeRemoteUrl() (Security: GHSA-22wf-848c-c856)
• Improved sanitizing Auto Reply message (Security: GHSA-q3fh-rj9h-jfrc)
• Fixed permissions check for user Notifications settings (Security: GHSA-f489-qxv6-gvgg)
• Make user invite link expirable after 7 days (Security: GHSA-hqff-cwx7-3jpm)

Fixed

• Fixed null parameter error in CheckBrowser middleware (#5342)
• Fixed moving conversations (#5343)
• Fixed OAuth disconnect link on PHP 7.1 (#5345)
• Fixed search.title hook (#5347)
• Fixed mute icon for non-admin users in Dashboard (#5348)
• Improved fetching into multiple mailboxes (#5350)
• Fixed error in MailHelper::isGeneratedMessageId() (#5351)