CVE-2026-28289 – FreeScout – Remote Code Execution and Patch Bypass Vulnerabilities

A security update addresses two serious vulnerabilities in FreeScout, the open-source help desk and shared inbox platform. The first issue, CVE-2026-27636, allows an authenticated user to upload dangerous configuration files such as .htaccess due to incomplete file extension restrictions in the upload validation logic. On Apache servers with AllowOverride enabled, this can allow attackers to redefine how files are processed and ultimately execute arbitrary code on the server. The CVSS score is 8.8, which is High severity.

A second vulnerability, CVE-2026-28289, bypasses the original patch for the upload restriction flaw. By inserting an invisible zero-width space character before the filename, attackers can bypass the filename validation check and upload a malicious .htaccess file. Researchers demonstrated that this weakness can escalate into unauthenticated remote code execution, allowing attackers to execute commands on the server simply by sending a crafted email to a configured FreeScout mailbox. The CVSS score is 10.0, which is Critical severity.

FreeScout addressed these issues by strengthening file upload validation and sanitization logic in version 1.8.207, which prevents dangerous filenames and blocks the bypass technique that enabled remote code execution.