Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.

INFO

Published Date :

2026-02-25T03:41:33.166Z

Last Modified :

2026-02-25T15:25:24.822Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-27636 vulnerability.

Vendors Products
Freescout
  • Freescout
Freescout Helpdesk
  • Freescout
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-27636.

URL Resource
https://github.com/freescout-help-desk/freescout/commit/9984071e6f1b4e633fdcffcea82bbebc9c1e009c cve-icon cve-icon
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9 cve-icon cve-icon cve-icon
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact