cbcvebase.
CVE-2026-28289
published 2026-03-03

CVE-2026-28289: FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and…

PriorityP274high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
EXPLOIT
EPSS
31.14%
98.0th percentile
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.

Affected

1 ranges
VendorProductVersion rangeFixed in
freescoutfreescout< 1.8.2071.8.207

Detection & IOCsextracted from sources · hover to see the quote

pathapp/Http/Helper.php
filename.htaccess
otherUnicode U+200B (Zero-Width Space) prefix on filename
pathmulti/http/freescout_htaccess_rce
processsanitizeUploadedFileName()
  • Detect email attachments with a Zero-Width Space (U+200B) character prefix in the filename, particularly those with a .htaccess base name, delivered to FreeScout-configured mailboxes via SMTP/IMAP/POP3.
  • Alert on HTTP requests to paths under the FreeScout storage/app/ (storage:link) directory that result in PHP code execution, which would indicate a successfully uploaded malicious .htaccess using SetHandler.
  • The exploit is zero-click and unauthenticated — no user interaction is required. Treat any unexpected .htaccess file appearing in FreeScout attachment directories as a high-severity indicator of compromise.
  • ·This is a patch bypass for CVE-2026-27636. The TOCTOU flaw means the dot-prefix check in sanitizeUploadedFileName() fires before invisible Unicode characters (ZWSP U+200B) are stripped, so the original CVE-2026-27636 fix is fully bypassed.
  • ·The vulnerability affects all FreeScout versions up to and including 1.8.206. The fix is in version 1.8.207. Patching alone may be insufficient without also disabling Apache AllowOverrideAll.
  • ·The Metasploit module description labels this 'Unauthenticated RCE' but the NVD/vendor advisory states it requires 'any authenticated user with file upload permissions'. The zero-click email delivery path (sending a crafted email to a FreeScout mailbox) is what enables unauthenticated exploitation.
  • ·Exploitation via the email delivery vector requires the IMAP/POP3 cron job to run (typically every 60 seconds) before the malicious .htaccess is stored and accessible.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.