CVE-2026-28289

CVSS v3.1

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions FreeScout versions 1.8.206 and earlier

Description FreeScout help desk software contains a bypass vulnerability that allows attackers to achieve Remote Code Execution (RCE). This flaw bypasses a previous security patch and allows attackers to upload malicious files, such as .htaccess, by using a zero-width space character to evade file validation checks. The vulnerability exists due to a Time-of-Check to Time-of-Use (TOCTOU) flaw in the

sanitizeUploadedFileName()

function in app/Http/Helper.php. Attackers can exploit this by sending a crafted email to any FreeScout mailbox, enabling them to execute code remotely and potentially gain full control of the server. This can lead to data exfiltration and lateral movement within the affected system. The vulnerability is particularly severe for installations on Apache servers with 'AllowOverride All' enabled.

Recommendations Update to FreeScout version 1.8.207.

Fix

RCE

Unrestricted File Upload

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-434

Related Identifiers

CVE-2026-28289

Affected Products

Freescout

Laravel

CVE-2026-28289

Weakness Enumeration

Related Identifiers

Affected Products

References · 17