Nirzadokox

Name of the Vulnerable Software and Affected Versions FreeScout versions 1.8.206 and earlier Description FreeScout is susceptible to remote code execution (RCE) vulnerabilities (CVE-2026-27636 and CVE-2026-28289). CVE-2026-27636 allows authenticated users with file upload permissions to execute code by uploading a malicious .htaccess file with a zero-width space character prefix, bypassing security checks due to a Time-of-Check to Time-of-Use (TOCTOU) flaw in the `sanitizeUploadedFileName()` function within app/Http/Helper.php. CVE-2026-28289 enables unauthenticated, zero-click RCE via email by exploiting a filename validation bypass using the same zero-width space character. Attackers can send a crafted email to any FreeScout mailbox, leading to remote code execution and potential server takeover. The vulnerability bypasses a previous security patch. Recommendations Update to version 1.8.207 to address these vulnerabilities.

**Name of the Vulnerable Software and Affected Versions** Dataease versions prior to 2.10.19 **Description** Dataease, an open source data visualization analysis tool, is susceptible to an account takeover issue. The tool utilizes the MD5 hash of a user’s password as the JWT signing secret. This predictable secret derivation allows an attacker to brute-force an administrator’s password by exploiting unmonitored API endpoints that verify JWT tokens. **Recommendations** Update to version 2.10.19 or later.