CVE-2026-28289
Received Received - Intake
TOCTOU Bypass in FreeScout File Upload Enables RCE

Publication date: 2026-03-03

Last updated on: 2026-03-11

Assigner: GitHub, Inc.

Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-11
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-28289
EUVD
EUVD-2026-9347
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
freescout freescout to 1.8.207 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects FreeScout, a help desk and shared inbox application built with PHP's Laravel framework. It is a patch bypass vulnerability related to CVE-2026-27636 that exists in FreeScout version 1.8.206 and earlier. The issue allows any authenticated user who has file upload permissions to execute remote code on the server. This is done by uploading a malicious .htaccess file that includes a zero-width space character prefix, which bypasses the security check designed to prevent such uploads.

The root cause is a Time-of-Check to Time-of-Use (TOCTOU) flaw in the sanitizeUploadedFileName() function located in app/Http/Helper.php. The function checks for a dot prefix before sanitizing the filename, but the sanitization removes invisible characters like the zero-width space only after the check. This allows the malicious file to bypass the check and be uploaded. The vulnerability was fixed in version 1.8.207.

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server hosting FreeScout. RCE means the attacker can run arbitrary code on the server, potentially leading to full system compromise.

  • Attackers could gain unauthorized access to sensitive data.
  • They could modify or delete data, disrupting business operations.
  • The server could be used as a launchpad for further attacks within the network.
  • Malicious code could be installed, leading to persistent backdoors or malware.
Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, you should upgrade FreeScout to version 1.8.207 or later, where the issue has been fixed.

Additionally, restrict file upload permissions to trusted users only and monitor uploads for suspicious files, especially those attempting to use zero-width space characters to bypass security checks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-28289. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart