CRITICAL🇵🇱 Wersja polska

CVE-2026-28289

CVSS 10.0v3.1pub. 2026-03-03upd. 2026-03-11

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.

🤖 AI Analysis
How it works

The vulnerability lies in the sanitizeUploadedFileName() function in the app/Http/Helper.php file. The function contains a Time-of-Check to Time-of-Use (TOCTOU) class error: checking the dot prefix in the filename (intended to detect configuration files such as .htaccess) occurs before the sanitization stage, which removes invisible characters (including zero-width space). An attacker uploads a file with a name containing a zero-width space before '.htaccess', which causes the security verification to not recognize it as a configuration file, but when saved to disk the Apache server interprets it as an .htaccess file. This enables the introduction of malicious directives and execution of code on the server side.

Impact

An attacker can gain full remote control over the server (RCE), which may lead to disclosure, modification or destruction of data and to further lateral movement in the infrastructure.

Mitigation & patch

FreeScout should be updated to version 1.8.207, in which the vulnerability has been fixed. The patch is available in the vendor's repository (commit f7bc16c). Until the update is applied, it is recommended to restrict file upload permissions exclusively to trusted users.

Who is affected

FreeScout in version 1.8.206 and earlier — affects instances where at least one user has file upload permissions.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
  • Freescout

    APP
    Freescout
    < 1.8.207
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCERace Condition
CWE
References

Related vulnerabilities

CVE-2026-32754CRITICAL9.3PL ✓ten sam produkt

FreeScout: Stored XSS w szablonach powiadomień e-mail umożliwia przejęcie kont

CVE-2026-27637CRITICAL9.8PL ✓ten sam produkt

FreeScout: przewidywalny token uwierzytelniający umożliwia przejęcie konta

CVE-2024-29185CRITICAL9.0PL ✓ten sam produkt

FreeScout: OS Command Injection umożliwiający przejęcie serwera

CVE-2026-40496HIGH8.8ten sam produkt

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, attachment download to...

CVE-2026-40497HIGH8.1ten sam produkt

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.213, FreeScout's `Helper::s...