CVE-2026-41193
CRITICALFreeScout < 1.8.215 - Zip Slip Remote Code Execution
Title source: manualDescription
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating file paths, allowing an authenticated admin to write files arbitrarily on the server filesystem via a specially crafted ZIP. Version 1.8.215 fixes the vulnerability.
References (3)
Core 3
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-r85m-5mc9-cc9w
X_Refsource_Misc x_refsource_misc
https://github.com/freescout-help-desk/freescout/commit/14f17a5cd22d217103a72b431b47b1f06996227b
X_Refsource_Misc x_refsource_misc
https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215
Scores
CVSS v3
9.1
EPSS
0.0039
EPSS Percentile
30.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-22
Status
published
Products (1)
freescout-help-desk/freescout
< 1.8.215
Published
Apr 21, 2026
Tracked Since
Apr 21, 2026