CVE-2026-28289
TOCTOU Bypass in FreeScout File Upload Enables RCE
Publication date: 2026-03-03
Last updated on: 2026-03-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freescout | freescout | to 1.8.207 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects FreeScout, a help desk and shared inbox application built with PHP's Laravel framework. It is a patch bypass vulnerability related to CVE-2026-27636 that exists in FreeScout version 1.8.206 and earlier. The issue allows any authenticated user who has file upload permissions to execute remote code on the server. This is done by uploading a malicious .htaccess file that includes a zero-width space character prefix, which bypasses the security check designed to prevent such uploads.
The root cause is a Time-of-Check to Time-of-Use (TOCTOU) flaw in the sanitizeUploadedFileName() function located in app/Http/Helper.php. The function checks for a dot prefix before sanitizing the filename, but the sanitization removes invisible characters like the zero-width space only after the check. This allows the malicious file to bypass the check and be uploaded. The vulnerability was fixed in version 1.8.207.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows an authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server hosting FreeScout. RCE means the attacker can run arbitrary code on the server, potentially leading to full system compromise.
- Attackers could gain unauthorized access to sensitive data.
- They could modify or delete data, disrupting business operations.
- The server could be used as a launchpad for further attacks within the network.
- Malicious code could be installed, leading to persistent backdoors or malware.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade FreeScout to version 1.8.207 or later, where the issue has been fixed.
Additionally, restrict file upload permissions to trusted users only and monitor uploads for suspicious files, especially those attempting to use zero-width space characters to bypass security checks.