CVE-2026-27636

CVE-2026-27636 is an unrestricted upload vulnerability in FreeScout, an open-source help desk and shared inbox application built on PHP's Laravel framework. In versions prior to 1.8.206, the file upload restriction list implemented in `app/Misc/Helper.php` fails to block `.htaccess` or `.user.ini` files. This allows authenticated users to upload such files to directories on Apache web servers configured with `AllowOverride All`, a common default setting, enabling attackers to override server configurations for malicious purposes. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-434 (Unrestricted Upload of File with Dangerous Type).

An authenticated user with low privileges, such as a standard help desk ticket submitter, can exploit this remotely over the network with low complexity and no user interaction required. By uploading a crafted `.htaccess` file, the attacker redefines how Apache processes subsequent files, leading to remote code execution (RCE) on the server. This can occur independently or in combination with CVE-2026-27637, potentially granting full server compromise including data exfiltration, privilege escalation, or further lateral movement.

The FreeScout project addressed this in version 1.8.206 by updating the file upload restrictions in `app/Misc/Helper.php` to explicitly block `.htaccess` and `.user.ini` files, as detailed in the project's GitHub security advisories (GHSA-6gcm-v8xf-j9v9 and GHSA-mw88-x7j3-74vc) and the fixing commit (9984071e6f1b4e633fdcffcea82bbebc9c1e009c). Security practitioners should upgrade to 1.8.206 or later, review Apache configurations to limit `AllowOverride` where possible, and audit file upload directories for unauthorized `.htaccess` files.