Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.

INFO

Published Date :

2026-03-03T22:59:08.679Z

Last Modified :

2026-03-05T21:09:30.846Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-28289 vulnerability.

Vendors Products
Freescout
  • Freescout
Freescout Helpdesk
  • Freescout
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-28289.

URL Resource
https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f cve-icon cve-icon
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp cve-icon cve-icon
https://www.ox.security/blog/freescout-rce-cve-2026-28289/ cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact