CVE-2026-27636

HIGH

FreeScout <1.8.206 - RCE

Title source: llm

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.

Exploits (3)

github SCANNER 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27636

View Code ZIP pw:eip

nomisec SCANNER

by rav1010 · poc

https://github.com/rav1010/CVE-2026-27636

View Code ZIP pw:eip

metasploit WORKING POC EXCELLENT

by offensiveee, Nir Zadok (nirzadokox) <OX Security>, Moses Bhardwaj (MosesOX) <OX Security> · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/freescout_htaccess_rce.rb

View Code ZIP pw:eip

References (3)

[Patch] https://github.com/freescout-help-desk/freescout/commit/9984071e6f1b4e633fdcffcea82bbebc9c1e009c

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9

[Vendor Advisory] https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc

Scores

CVSS v3 8.8

EPSS 0.2248

EPSS Percentile 95.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

freescout/freescout < 1.8.206

Published Feb 25, 2026

Tracked Since Feb 25, 2026