CVE-2026-28289

Exploitation Summary

EIP tracks 5 public exploits for CVE-2026-28289. PoCs published by XiaomingX, exploitintel, 0xBlackash, including Metasploit module exploits/multi/http/freescout_htaccess_rce.

AI-analyzed exploit summary The repository contains a functional Python script that exploits CVE-2026-28289, a zero-click RCE vulnerability in FreeScout. The exploit sends a crafted email with malicious attachments (a Unicode-prefixed .htaccess and a PHP webshell) to bypass filename sanitization and achieve remote code execution.

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.

Exploits (5)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-28289

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2026-28289, a zero-click RCE vulnerability in FreeScout. The exploit sends a crafted email with malicious attachments (a Unicode-prefixed .htaccess and a PHP webshell) to bypass filename sanitization and achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FreeScout ≤ 1.8.206

No auth needed

Prerequisites: SMTP server access · valid email credentials · target FreeScout mailbox

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 06, 2026 Full analysis →

github WORKING POC 2 stars

by exploitintel · cpoc

https://github.com/exploitintel/eip-pocs-and-cves/tree/main/CVE-2026-28289

View Code ZIP pw:eip

This repository contains functional exploit code for CVE-2026-28289, a TOCTOU vulnerability in FreeScout ≤1.8.206 that allows authenticated RCE via .htaccess upload bypass using Unicode manipulation. The PoC includes multiple attack vectors and a Docker-based lab environment for testing.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FreeScout ≤1.8.206

Auth required

Prerequisites: Docker and Docker Compose for lab setup · Python 3 with requests library · Valid FreeScout credentials for authenticated attack

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 14, 2026 Full analysis →

nomisec WORKING POC 1 stars

by 0xBlackash · poc

https://github.com/0xBlackash/CVE-2026-28289

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2026-28289, a zero-click RCE vulnerability in FreeScout. The exploit sends a malicious email with a Unicode-prefixed .htaccess file and a PHP webshell, bypassing filename sanitization to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FreeScout ≤ 1.8.206

No auth needed

Prerequisites: SMTP server access · valid email credentials · target FreeScout mailbox

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

nomisec WORKING POC

by 0xAshwesker · poc

https://github.com/0xAshwesker/CVE-2026-28289

View Code ZIP pw:eip

The repository contains a functional Python script that exploits CVE-2026-28289, a zero-click RCE vulnerability in FreeScout. The exploit sends a malicious email with a Unicode-prefixed .htaccess file and a PHP webshell, bypassing filename sanitization to achieve remote code execution.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FreeScout <= 1.8.206

No auth needed

Prerequisites: SMTP server access · valid email credentials · target FreeScout instance

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Mar 06, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by offensiveee, Nir Zadok (nirzadokox) <OX Security>, Moses Bhardwaj (MosesOX) <OX Security> · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/freescout_htaccess_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits CVE-2026-28289 in FreeScout <= 1.8.206 by sending a crafted email with a ZWSP-prefixed .htaccess attachment, which bypasses filename sanitization and achieves RCE via PHP code execution.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: FreeScout <= 1.8.206

No auth needed

Prerequisites: Valid mailbox email address · Web-accessible attachment storage

MITRE ATT&CK