Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.
Exploits (5)
github
WORKING POC
10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-28289
github
WORKING POC
2 stars
by exploitintel · cpoc
https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2026-28289
metasploit
WORKING POC
EXCELLENT
by offensiveee, Nir Zadok (nirzadokox) <OX Security>, Moses Bhardwaj (MosesOX) <OX Security> · rubypocphp
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/freescout_htaccess_rce.rb
Scores
CVSS v3
10.0
EPSS
0.2228
EPSS Percentile
95.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Lab Environment
COMMUNITY
Community Lab
+3 more repos
Details
CWE
CWE-434
Status
published
Products (1)
freescout/freescout
< 1.8.207
Published
Mar 03, 2026
Tracked Since
Mar 04, 2026