1. Home
  2. Vulnerabilities
  3. CVE-2026-28289
10.0
CRITICAL CVSS 3.1
CVE-2026-28289
FreeScout 1.8.206 Patch Bypass for CVE-2026-27636 via Zero-Width Space Character Leads to Remote Code Execution
Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.

INFO

Published Date :

March 3, 2026, 11:15 p.m.

Last Modified :

March 5, 2026, 10:16 p.m.

Remotely Exploit :

Yes !

Source :

[email protected]
Affected Products

The following products are affected by CVE-2026-28289 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Freescout freescout
: Total Affected Vendor : 1 | Products : 1
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 CRITICAL [email protected]
CVSS 3.1 HIGH [email protected]
Solution
Update FreeScout to version 1.8.207 to fix a file upload vulnerability allowing remote code execution.
  • Update FreeScout to version 1.8.207.
  • Ensure file upload permissions are restricted.
  • Monitor uploaded files for malicious content.
Public PoC/Exploit Available at Github

CVE-2026-28289 has a 3 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2026-28289.

URL Resource
https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f Patch
https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp ExploitMitigationVendor Advisory
https://www.ox.security/blog/freescout-rce-cve-2026-28289/
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2026-28289 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2026-28289 weaknesses.

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Profile Photo
0xAshwesker/CVE-2026-28289

CVE-2026-28289

Python

Updated: 1 day, 10 hours ago
0 stars 0 fork 0 watcher
Born at : March 5, 2026, 5:48 p.m. This repo has been linked 2 different CVEs too.
Profile Photo
rav1010/CVE-2026-27636

Freescout-passive-scanner

Python

Updated: 3 days, 2 hours ago
0 stars 0 fork 0 watcher
Born at : March 4, 2026, 3:12 a.m. This repo has been linked 2 different CVEs too.
Profile Photo
nomi-sec/PoC-in-GitHub

📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.

security cve exploit poc vulnerability

Updated: 11 hours, 2 minutes ago
7553 stars 1241 fork 1241 watcher
Born at : Dec. 8, 2019, 1:03 p.m. This repo has been linked 755 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2026-28289 vulnerability anywhere in the article.

  • Help Net Security
March 2026 Patch Tuesday forecast: Is AI security an oxymoron?

Developers and analysts are using more AI tools to produce code and to test both the performance and security of the finished products. They are also embedding AI functionality in their products direc ... Read more

Published Date: Mar 06, 2026 (21 hours, 29 minutes ago)
  • Help Net Security
Cisco warns of SD-WAN Manager exploitation, fixes 48 firewall vulnerabilities

Cisco has confirmed that two Catalyst SD-WAN Manager vulnerabilities (CVE-2026-20128 and CVE-2026-20122) patched in late February 2025 are being exploited by attackers. The exploited vulnerabilities ( ... Read more

Published Date: Mar 05, 2026 (1 day, 15 hours ago)
  • Help Net Security
FreeScout vulnerability enables unauthenticated, zero-click RCE via email (CVE-2026-28289)

A newly discovered vulnerability (CVE-2026-28289) in the open-source help desk platform FreeScout could allow attackers to take over vulnerable servers by sending a specially crafted email to a FreeSc ... Read more

Published Date: Mar 05, 2026 (1 day, 18 hours ago)
  • CybersecurityNews
Mail2Shell Zero-Click Attack lets Hackers Hijack FreeScout Mail Servers

Hackers Hijack FreeScout Mail Servers Researchers have uncovered a critical zero-click vulnerability in FreeScout, a widely used open-source help desk and shared mailbox application. Dubbed “Mail2Shel ... Read more

Published Date: Mar 05, 2026 (1 day, 22 hours ago)
  • Daily CyberSecurity
CVSS 10.0 Unauthenticated Remote Code Execution in FreeScout (Public Proof-of-Concept Disclosed)

Security researchers have uncovered a maximum-score vulnerability in FreeScout, the popular open-source help desk and shared inbox platform. The flaw, tracked as CVE-2026-28289, carries a CVSS score o ... Read more

Published Date: Mar 05, 2026 (2 days, 5 hours ago)

Results are limited to the first 20 news articles due to potential performance issues.

The following table lists the changes that have been made to the CVE-2026-28289 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • CVE Modified by af854a3a-2127-422b-91ae-364da2661108

    Mar. 05, 2026

    Action Type Old Value New Value
    Added Reference https://www.ox.security/blog/freescout-rce-cve-2026-28289/
  • Initial Analysis by [email protected]

    Mar. 05, 2026

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CPE Configuration OR *cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:* versions up to (excluding) 1.8.207
    Added Reference Type GitHub, Inc.: https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f Types: Patch
    Added Reference Type GitHub, Inc.: https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp Types: Exploit, Mitigation, Vendor Advisory
  • New CVE Received by [email protected]

    Mar. 03, 2026

    Action Type Old Value New Value
    Added Description FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.
    Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    Added CWE CWE-434
    Added Reference https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f
    Added Reference https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
Vulnerability Scoring Details
Base CVSS Score: 10.0
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact