Detections
Analytics

CVE-2026-28289

high

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.

References

https://www.infosecurity-magazine.com/news/zeroclick-freescout-bug-remote/

https://www.helpnetsecurity.com/2026/03/05/freescout-vulnerability-cve-2026-28289/

https://www.securityweek.com/critical-freescout-vulnerability-leads-to-full-server-compromise/

https://www.bleepingcomputer.com/news/security/mail2shell-zero-click-attack-lets-hackers-hijack-freescout-mail-servers/

https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp

https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f

Details

Source: Mitre, NVD

Published: 2026-03-03

Updated: 2026-03-11

Named Vulnerability: Mail2Shell

Risk Information

CVSS v2

Base Score: 7.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Severity: High

CVSS v3

Base Score: 8.1

Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.3114