Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.
Published: 2026-03-03
Score: 10 Critical
EPSS: 22.3% Moderate
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

FreeScout instances running version 1.8.206 or earlier are vulnerable to a patch‑bypass that allows an authenticated user with file‑upload privileges to upload a malicious .htaccess file. The vulnerability arises from a TOCTOU flaw in the sanitizeUploadedFileName() function, which permits a zero‑width space prefix to evade the dot‑file check before sanitization. When exploited, this flaw permits arbitrary code execution on the server, giving the attacker full control over the underlying system.

Affected Systems

The affected product is the Freescout help‑desk application. All installations of Freescout 1.8.206 or older, when an authenticated user has permission to upload files, are susceptible. The issue is specific to the Laravel‑based implementation of file handling in Freescout.

Risk and Exploitability

The CVSS score of 10 indicates a critical severity. With an EPSS of 22%, exploit probability is moderate to high. The vulnerability is not currently listed in CISA’s KEV catalog. Exploitation requires only that the user be authenticated and possess file‑upload rights; no additional privileges are necessary. Once the malicious .htaccess file is uploaded, the attacker can achieve remote code execution with full control over the server.

Generated by OpenCVE AI on April 16, 2026 at 13:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 1.8.207 or later to apply the patch that fixes the upload validation check.
  • If an upgrade is not immediately feasible, remove or restrict upload permissions for authenticated users until the patch is applied.
  • Configure the web server or application to reject .htaccess file uploads, or rename any uploaded .htaccess files to a non‑executable extension such as .txt as a temporary safeguard.

Generated by OpenCVE AI on April 16, 2026 at 13:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 22:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Freescout
Freescout freescout
CPEs cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*
Vendors & Products Freescout
Freescout freescout

Wed, 04 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Freescout Helpdesk
Freescout Helpdesk freescout
Vendors & Products Freescout Helpdesk
Freescout Helpdesk freescout

Tue, 03 Mar 2026 23:15:00 +0000

Type Values Removed Values Added
Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.
Title FreeScout 1.8.206 Patch Bypass for CVE-2026-27636 via Zero-Width Space Character Leads to Remote Code Execution
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Freescout Freescout
Freescout Helpdesk Freescout
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-05T21:09:30.846Z

Reserved: 2026-02-26T01:52:58.735Z

Link: CVE-2026-28289

cve-icon Vulnrichment

Updated: 2026-03-05T21:09:30.846Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-03T23:15:56.550

Modified: 2026-03-11T19:29:44.933

Link: CVE-2026-28289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T14:00:19Z

Weaknesses