{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28289", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-26T01:52:58.735Z", "datePublished": "2026-03-03T22:59:08.679Z", "dateUpdated": "2026-03-05T21:09:30.846Z"}, "containers": {"cna": {"title": "FreeScout 1.8.206 Patch Bypass for CVE-2026-27636 via Zero-Width Space Character Leads to Remote Code Execution", "problemTypes": [{"descriptions": [{"cweId": "CWE-434", "lang": "en", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp"}, {"name": "https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f", "tags": ["x_refsource_MISC"], "url": "https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f"}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"version": "< 1.8.207", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:59:08.679Z"}, "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207."}], "source": {"advisory": "GHSA-5gpc-65p8-ffwp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-04T16:04:55.522646Z", "id": "CVE-2026-28289", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:05:07.046Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-05T21:09:30.846Z"}, "references": [{"url": "https://www.ox.security/blog/freescout-rce-cve-2026-28289/"}], "title": "CVE Program Container", "x_generator": {"engine": "ADPogram 0.0.1"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.ox.security/blog/freescout-rce-cve-2026-28289/"}], "x_generator": {"engine": "ADPogram 0.0.1"}, "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-05T21:09:30.846Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28289", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-04T16:04:55.522646Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-04T16:05:00.332Z"}}], "cna": {"title": "FreeScout 1.8.206 Patch Bypass for CVE-2026-27636 via Zero-Width Space Character Leads to Remote Code Execution", "source": {"advisory": "GHSA-5gpc-65p8-ffwp", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "freescout-help-desk", "product": "freescout", "versions": [{"status": "affected", "version": "< 1.8.207"}]}], "references": [{"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp", "name": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f", "name": "https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434: Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-03T22:59:08.679Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28289", "state": "PUBLISHED", "dateUpdated": "2026-03-05T21:09:30.846Z", "dateReserved": "2026-02-26T01:52:58.735Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-03T22:59:08.679Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "matchCriteriaId": "F5903DB5-FCA5-4162-869D-15FFF4B2A450", "versionEndExcluding": "1.8.207", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207."}, {"lang": "es", "value": "FreeScout es una mesa de ayuda gratuita y una bandeja de entrada compartida construida con el framework Laravel de PHP. Una vulnerabilidad de omisi\u00f3n de parche para CVE-2026-27636 en FreeScout 1.8.206 y anteriores permite a cualquier usuario autenticado con permisos de carga de archivos lograr Ejecuci\u00f3n Remota de C\u00f3digo (RCE) en el servidor mediante la carga de un archivo .htaccess malicioso utilizando un prefijo de car\u00e1cter de espacio de ancho cero para omitir la verificaci\u00f3n de seguridad. La vulnerabilidad existe en la funci\u00f3n sanitizeUploadedFileName() en app/Http/Helper.php. La funci\u00f3n contiene una falla de Tiempo de Verificaci\u00f3n a Tiempo de Uso (TOCTOU) donde la verificaci\u00f3n del prefijo de punto ocurre antes de que la sanitizaci\u00f3n elimine los caracteres invisibles. Esta vulnerabilidad est\u00e1 corregida en 1.8.207."}], "id": "CVE-2026-28289", "lastModified": "2026-03-11T19:29:44.933", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-03T23:15:56.550", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Vendor Advisory"], "url": "https://www.ox.security/blog/freescout-rce-cve-2026-28289/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-434"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.8.207)"}}], "enrichment": {"confidence": 98.0, "confidence_source": "matching", "scores": [{"score": 98.0, "source": "matching"}]}, "original": {"product": "freescout", "source": "cna", "vendor": "freescout-help-desk"}, "product": "freescout", "vendor": "freescout_helpdesk"}], "analysis": {"en": {"generated_at": "2026-04-16T13:49:36.366487+00:00", "value": {"mitigation_remediation": ["Upgrade to version 1.8.207 or later to apply the patch that fixes the upload validation check.", "If an upgrade is not immediately feasible, remove or restrict upload permissions for authenticated users until the patch is applied.", "Configure the web server or application to reject .htaccess file uploads, or rename any uploaded .htaccess files to a non\u2011executable extension such as .txt as a temporary safeguard."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the Freescout help\u2011desk application. All installations of Freescout 1.8.206 or older, when an authenticated user has permission to upload files, are susceptible. The issue is specific to the Laravel\u2011based implementation of file handling in Freescout.", "description_and_impact": "FreeScout instances running version 1.8.206 or earlier are vulnerable to a patch\u2011bypass that allows an authenticated user with file\u2011upload privileges to upload a malicious .htaccess file. The vulnerability arises from a TOCTOU flaw in the sanitizeUploadedFileName() function, which permits a zero\u2011width space prefix to evade the dot\u2011file check before sanitization. When exploited, this flaw permits arbitrary code execution on the server, giving the attacker full control over the underlying system.", "risk_and_exploitability": "The CVSS score of 10 indicates a critical severity. With an EPSS of 22%, exploit probability is moderate to high. The vulnerability is not currently listed in CISA\u2019s KEV catalog. Exploitation requires only that the user be authenticated and possess file\u2011upload rights; no additional privileges are necessary. Once the malicious .htaccess file is uploaded, the attacker can achieve remote code execution with full control over the server."}}}}, "created": "2026-03-04T14:53:28.027608+00:00", "updated": "2026-04-16T14:00:19.461253+00:00", "vendors": ["freescout_helpdesk", "freescout_helpdesk$PRODUCT$freescout"]}