CVE-2026-28289

10.0 CRITICAL
Published: March 03, 2026 Modified: March 11, 2026
View on NVD

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f
Source: security-advisories@github.com
Patch
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp
Source: security-advisories@github.com
Exploit Mitigation Vendor Advisory
https://www.ox.security/blog/freescout-rce-cve-2026-28289/
Source: af854a3a-2127-422b-91ae-364da2661108
Exploit Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
10.0 / 10.0
EPSS (Exploit Probability)
0.0%
10th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-434

Affected Vendors

freescout

Related CVEs

CVE-2026-33136 9.3
CVE-2026-33135 9.3
CVE-2026-33134 9.3
CVE-2026-33133 N/A
CVE-2026-33132 5.3