Fixed Intel

CVE-2026-28289

Critical
CVSS 10PoC Available

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.

CVSS Score

10/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Weakness Classification (CWE)

CWE-434Unrestricted Upload of FileMITRE

Known Exploits

POC
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwpexploithttps://www.ox.security/blog/freescout-rce-cve-2026-28289/exploit

Related Articles (1)

Industry News

⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack & Vibe-Coded Malware

Your weekly cybersecurity roundup covering the latest threats, exploits, vulnerabilities, and security news you need to know.

Mar 9, 2026

References (3)

https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818fsecurity-advisories@github.comhttps://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwpsecurity-advisories@github.comhttps://www.ox.security/blog/freescout-rce-cve-2026-28289/af854a3a-2127-422b-91ae-364da2661108

Risk Assessment

HIGH
Known exploit
Critical CVSS

Details

Severity
Critical
CVSS
10
CWE
CWE-434
Exploit
POC
CISA KEV
No
Articles
1

Timeline

Published

Mar 3, 2026

External Links

NVD (NIST)CVE DetailsMITRE CVE