CVE-2026-27636
published 2026-02-25CVE-2026-27636: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in…
PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.12%
79.6th percentile
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freescout-help-desk | freescout | < 1.8.207 | 1.8.207 |
| freescout | freescout | < 1.8.207 | 1.8.207 |
| freescout | freescout | < 1.8.206 | 1.8.206 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect inbound email attachments with a Zero-Width Space (U+200B) character prefix in the filename, which is used to bypass dot-prefix filename validation in FreeScout's sanitizeUploadedFileName(). ↗
- →Alert on HTTP requests to paths under storage/app/ (web-accessible via storage:link) that result in PHP code execution, indicative of a successfully placed malicious .htaccess using SetHandler. ↗
- →The exploit is triggered via the IMAP/POP3 cron job (typically every 60 seconds) fetching a crafted email sent via SMTP. Monitor for unexpected .htaccess file creation events correlated with mail-fetch cron activity. ↗
- →This is a zero-click, unauthenticated attack vector — no HTTP login attempt will precede exploitation. Detection should focus on the mail delivery path and resulting filesystem artifacts rather than web authentication logs. ↗
- ·The web-accessible symlink (storage:link pointing to storage/app/) must be present for the attacker to reach the uploaded .htaccess via HTTP. Removing or restricting this symlink reduces exploitability. ↗
- ·CVE-2026-28289 is a patch bypass for CVE-2026-27636. Instances patched only to 1.8.206 remain fully vulnerable; the fix is exclusively in version 1.8.207. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa5.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Rapid7
Metasploit Wrap-Up 04/03/2026
blogs_rapid7·2026-04-03·CVSS 8.1
[HIGH] Metasploit Wrap-Up 04/03/2026
## Additional Adapters and More Modules
This week, we added a whole new bunch of HTTP/HTTPS-based CMD payloads for X64 and X86 versions of Windows. The additional breadth of selectable payloads and delivery techniques allows users new options to tailor the attack workflow for their environment. This was contributed by bwatters-r7 . Adding new architectures for adapted payloads is surprisingly easy and something a first-time contributor might want to look into!
New modules added to Metasploit Framework also allow for targeting FreeScout and Grav CMS, both of which result in remote code execution. These modules were contributed by Chocapikk and x1o3 respectively. Thanks!
Thanks to g0tmi1k , Metasploit Framework now also includes an exploit module, multi/http/os_cmd_exec, which allows for
Bleepingcomputer
Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers
blogs_bleepingcomputer·2026-03-04·CVSS 8.8
CVE-2026-28289 [HIGH] Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers
## Mail2Shell zero-click attack lets hackers hijack FreeScout mail servers
## Bill Toulas
A maximum severity vulnerability in the FreeScout helpdesk platform allows hackers to achieve remote code execution without any user interaction or authentication.
The flaw is tracked as CVE-2026-28289 and bypasses a fix for another remote code execution (RCE) security issue ( CVE-2026-27636 ) that could be exploited by authenticated users with upload permissions.
Researchers at OX Security, a company that secures applications from code to runtime, say that an attacker can exploit the new vulnerability by "sending a single crafted email to any address configured in FreeScout."
According to them, the fix attempted to block dangerous file uploads by modifying filenames with restricted extensions or
Bugzilla
CVE-2026-40453 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
bugzilla·2026-04-27·CVSS 5.6
CVE-2026-40453 [MEDIUM] CVE-2026-40453 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
CVE-2026-40453 Apache Camel: org.apache.camel: Apache Camel: Remote Code Execution and Arbitrary File Write via case-variant header injection
The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in
https://github.com/freescout-help-desk/freescout/commit/9984071e6f1b4e633fdcffcea82bbebc9c1e009chttps://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vchttps://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc
2026-02-25
Published