CVE-2026-27636

HIGH

FreeScout < 1.8.206 - Authenticated Remote Code Execution via .htaccess Upload

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-27636. PoCs published by XiaomingX, rav1010, offensiveee, Nir Zadok (nirzadokox) <OX Security>, Moses Bhardwaj (MosesOX) <OX Security>, including Metasploit module exploits/multi/http/freescout_htaccess_rce.

AI-analyzed exploit summary The repository contains a Python script designed for passive reconnaissance and fingerprinting of FreeScout deployments, focusing on detecting exposure related to CVE-2026-27636. It performs various checks such as favicon hashing, directory listing detection, module enumeration, and security header analysis without attempting exploitation.

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.

Exploits (3)

github SCANNER 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27636

The repository contains a Python script designed for passive reconnaissance and fingerprinting of FreeScout deployments, focusing on detecting exposure related to CVE-2026-27636. It performs various checks such as favicon hashing, directory listing detection, module enumeration, and security header analysis without attempting exploitation.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: FreeScout
No auth needed
Prerequisites: network access to the target · target running FreeScout
devstral-2 · analyzed Mar 05, 2026 Full analysis →
nomisec SCANNER
by rav1010 · poc
https://github.com/rav1010/CVE-2026-27636

The repository contains a Python script designed for passive reconnaissance and fingerprinting of FreeScout deployments, focusing on detecting exposure related to CVE-2026-27636. It performs various checks such as favicon hashing, directory listing detection, module enumeration, and security header analysis without attempting exploitation.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: FreeScout
No auth needed
Prerequisites: network access to the target · target running FreeScout
devstral-2 · analyzed Mar 04, 2026 Full analysis →
metasploit WORKING POC EXCELLENT
by offensiveee, Nir Zadok (nirzadokox) <OX Security>, Moses Bhardwaj (MosesOX) <OX Security> · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/freescout_htaccess_rce.rb

This Metasploit module exploits an unauthenticated RCE in FreeScout via a ZWSP bypass in .htaccess uploads. It sends a crafted email with a malicious .htaccess attachment, which is processed by FreeScout's cron job and executed as PHP.

Classification
Working Poc 100%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: FreeScout <= 1.8.206
No auth needed
Prerequisites: Valid mailbox email address · Web-accessible attachment storage
devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 8.8
EPSS 0.1727
EPSS Percentile 95.2%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-434
Status published
Products (1)
freescout/freescout < 1.8.206
Published Feb 25, 2026
Tracked Since Feb 25, 2026