cbcvebase.
CVE-2026-27636
published 2026-02-25

CVE-2026-27636: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in…

PriorityP268high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.12%
79.6th percentile
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.

Affected

3 ranges
VendorProductVersion rangeFixed in
freescout-help-deskfreescout< 1.8.2071.8.207
freescoutfreescout< 1.8.2071.8.207
freescoutfreescout< 1.8.2061.8.206

Detection & IOCsextracted from sources · hover to see the quote

pathapp/Http/Helper.php
filename.htaccess
otherUnicode U+200B (Zero-Width Space) prefix on filename
processsanitizeUploadedFileName()
  • Detect inbound email attachments with a Zero-Width Space (U+200B) character prefix in the filename, which is used to bypass dot-prefix filename validation in FreeScout's sanitizeUploadedFileName().
  • Alert on HTTP requests to paths under storage/app/ (web-accessible via storage:link) that result in PHP code execution, indicative of a successfully placed malicious .htaccess using SetHandler.
  • The exploit is triggered via the IMAP/POP3 cron job (typically every 60 seconds) fetching a crafted email sent via SMTP. Monitor for unexpected .htaccess file creation events correlated with mail-fetch cron activity.
  • This is a zero-click, unauthenticated attack vector — no HTTP login attempt will precede exploitation. Detection should focus on the mail delivery path and resulting filesystem artifacts rather than web authentication logs.
  • ·The web-accessible symlink (storage:link pointing to storage/app/) must be present for the attacker to reach the uploaded .htaccess via HTTP. Removing or restricting this symlink reduces exploitability.
  • ·CVE-2026-28289 is a patch bypass for CVE-2026-27636. Instances patched only to 1.8.206 remain fully vulnerable; the fix is exclusively in version 1.8.207.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
ghsa5.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.