CVE-2026-28289
FreeScout 1.8.206 Patch Bypass for CVE-2026-27636 via Zero-Width Space Character Leads to Remote Code Execution
In short
FreeScout 1.8.206 allows authenticated users to upload malicious files by hiding dangerous filenames with invisible characters, bypassing security checks and taking control of the server. This is a critical flaw because attackers with basic upload permissions can execute any code they want.
Technical detail
An authenticated attacker with file upload permissions exploits a TOCTOU vulnerability in sanitizeUploadedFileName() by prefixing a malicious .htaccess filename with a zero-width space character. The security check validates the filename before invisible character sanitization occurs, allowing the dangerous file to be written to the server and executed, resulting in arbitrary remote code execution.
Summary generated and translated by AI from the official description.
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Affected products
freescout-help-desk · freescoutWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →