CVE-2026-28289

CriticalPublic PoC

Published: 03 March 2026

Published

03 March 2026

Modified

11 March 2026

KEV Added

—

Patch

—

CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.2228 95.8th percentile

Risk Priority 33 60% EPSS · 20% KEV · 20% CVSS

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on…

the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely remediation of software flaws, directly mitigating the patch bypass and TOCTOU vulnerability by applying the fix in FreeScout 1.8.207.

SI-10 Information Input Validation good match

prevent

Mandates validation of uploaded file names to reject malicious invisible characters like zero-width spaces before sanitization, preventing the bypass of dot-prefix checks.

SI-9 Information Input Restrictions good match

prevent

Enforces restrictions on uploaded file types and extensions, blocking dangerous files like .htaccess regardless of name manipulation tricks.

Security SummaryAI

CVE-2026-28289 is a patch bypass vulnerability affecting FreeScout, a free help desk and shared inbox application built with PHP's Laravel framework, in versions 1.8.206 and earlier. It circumvents protections added for the prior CVE-2026-27636 by exploiting a Time-of-Check to Time-of-Use (TOCTOU) flaw in the sanitizeUploadedFileName() function within app/Http/Helper.php. Attackers can upload a malicious .htaccess file prefixed with a zero-width space character, which evades the dot-prefix security check performed before invisible characters are sanitized, enabling server-side execution of arbitrary code.

Any authenticated user with file upload permissions can exploit this vulnerability remotely over the network with low complexity, achieving remote code execution (RCE) on the affected server. The CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) reflects its critical severity, including high impacts on confidentiality, integrity, and availability with changed scope.

The vulnerability is fixed in FreeScout version 1.8.207, as detailed in the project's GitHub security advisory (GHSA-5gpc-65p8-ffwp) and the patching commit (f7bc16c56a6b13c06da52ad51fd666546b40818f). Security practitioners should upgrade to the patched version immediately and review file upload configurations to restrict permissions where possible. Additional analysis is available in the OX Security blog post on the issue.

Details

CWE(s): CWE-434

Affected Products

freescout

≤ 1.8.207

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a patch bypass in the public-facing FreeScout web application, enabling remote code execution via crafted file upload, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f
Patch · security-advisories@github.com
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp
Exploit, Mitigation, Vendor Advisory · security-advisories@github.com
https://www.ox.security/blog/freescout-rce-cve-2026-28289/
Exploit, Vendor Advisory · af854a3a-2127-422b-91ae-364da2661108