CVE-2026-28289

Name of the Vulnerable Software and Affected Versions FreeScout versions 1.8.206 and earlier

Description FreeScout is susceptible to remote code execution (RCE) vulnerabilities (CVE-2026-27636 and CVE-2026-28289). CVE-2026-27636 allows authenticated users with file upload permissions to execute code by uploading a malicious .htaccess file with a zero-width space character prefix, bypassing security checks due to a Time-of-Check to Time-of-Use (TOCTOU) flaw in the sanitizeUploadedFileName() function within app/Http/Helper.php. CVE-2026-28289 enables unauthenticated, zero-click RCE via email by exploiting a filename validation bypass using the same zero-width space character. Attackers can send a crafted email to any FreeScout mailbox, leading to remote code execution and potential server takeover. The vulnerability bypasses a previous security patch.

Recommendations Update to version 1.8.207 to address these vulnerabilities.