Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.
Published: 2026-02-25
Score: 8.8 High
EPSS: 22.4% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from the free help desk platform’s file‑upload filter failing to block files named ".htaccess" or ".user.ini". An authenticated user can upload a malicious ".htaccess" file to the server. On hosts that run Apache with the common AllowOverride All setting, that file can alter how PHP or the web server processes files, giving the attacker the ability to execute arbitrary code on the host. The flaw is a classic example of unrestricted upload of a dangerous file type, identified as CWE‑434. The potential impact is full control of the web application and possibly the underlying host, compromising confidentiality, integrity, and availability. Affected systems are all installations of the FreeScout help‑desk platform older than version 1.8.206 running on an Apache web server configured with AllowOverride All. The relevant product is the FreeScout help‑desk, and any authenticated user who can upload files is able to trigger the flaw.

Affected Systems

Affected systems are all installations of the FreeScout help‑desk platform older than version 1.8.206 running on an Apache web server configured with AllowOverride All. The relevant product is the FreeScout help‑desk, and any authenticated user who can upload files is able to trigger the flaw.

Risk and Exploitability

Risk assessment shows a CVSS score of 8.8, indicating a high severity vulnerability, with an EPSS score of 22 % that suggests a non‑negligible exploitation probability. The flaw is not yet listed in the CISA KEV catalog. Exploitation requires an authenticated uploading privilege and a permissive Apache configuration; it can also be combined with another related vulnerability to increase damage. Enterprise deployments should treat this as a critical threat.

Generated by OpenCVE AI on May 4, 2026 at 14:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official FreeScout patch to version 1.8.206 or later, which blocks the upload of ".htaccess" and ".user.ini" files.
  • If a patch is not immediately possible, reconfigure Apache to remove the AllowOverride All directive for the web root or set it to None to prevent the uploaded file from reconfiguring PHP processing.
  • Restrict file types in FreeScout’s upload configuration by explicitly disallowing entries such as ".htaccess" and ".user.ini" until the official patch can be applied.

Generated by OpenCVE AI on May 4, 2026 at 14:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Wed, 25 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.
Title FreeScout: Missing .htaccess in Restricted File Extensions Allows Remote Code Execution on Apache
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T15:25:24.822Z

Reserved: 2026-02-20T22:02:30.028Z

Link: CVE-2026-27636

cve-icon Vulnrichment

Updated: 2026-02-25T15:24:57.960Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T04:16:03.933

Modified: 2026-02-26T16:07:11.047

Link: CVE-2026-27636

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T14:45:02Z

Weaknesses