CVE-2026-27636

Name of the Vulnerable Software and Affected Versions FreeScout versions prior to 1.8.206

Description FreeScout, a PHP-based help desk and shared inbox application built on the Laravel framework, contains a flaw in its file upload restrictions. Prior to version 1.8.206, the application does not prevent the upload of .htaccess and .user.ini files. On Apache servers configured with AllowOverride All, an authenticated user can upload a .htaccess file, potentially redefining file processing rules and enabling Remote Code Execution. This issue can be exploited independently or in conjunction with another issue. The vulnerable file is located at app/Misc/Helper.php. The upload functionality is affected.

Recommendations Versions prior to 1.8.206 should be updated to version 1.8.206 or later.