FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.
Conclusion & alert: CVE-2026-28289 is rated High Exploit Risk (94.3/100): CVSS Critical severity, with high exploitation likelihood (EPSS 31.14%, 98th percentile). Core evidence: 2 public exploit reference(s) are indexed (Exploit-DB). EPSS rose +14.92% over the last day, indicating growing attacker interest. Mandatory action: Public exploits are available—assess exposure, apply mitigations, and prioritize patching.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
| EDB-ID | Source | Kind | Published | Link |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ | |
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 16.22% | 31.14% | +14.92% |
| 2 | 2026-05-28 | 20.55% | 16.22% | -4.33% |
| 3 | 2026-05-17 | — | 20.55% | — |
Full EPSS history (8 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 10.0 | 3.1 | CRITICAL |
|
3.9 | 6.0 | [email protected] |
| 8.1 | 3.1 | HIGH |
|
2.2 | 5.9 | [email protected] |
| URL | Tags |
|---|---|
| https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f | Patch |
| https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp | Exploit Mitigation Vendor Advisory |
| https://www.ox.security/blog/freescout-rce-cve-2026-28289/ | Exploit Vendor Advisory |