Cyber Resilience

CVE-2026-28289

CriticalPublic PoC

Published: 03 March 2026

Published
03 March 2026
Modified
11 March 2026
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.3114 98.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-28289 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Freescout Freescout. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).

Deeper analysis

FreeScout is a PHP-based help desk application built on the Laravel framework. CVE-2026-28289 is a patch-bypass vulnerability affecting version 1.8.206 and earlier that permits remote code execution. It resides in the sanitizeUploadedFileName function within app/Http/Helper.php, where a Time-of-Check to Time-of-Use flaw allows a zero-width space character to evade the dot-prefix check for .htaccess files before invisible-character sanitization occurs. The issue bypasses the fix originally introduced for CVE-2026-27636 and carries a CVSS 3.1 score of 10.0 under CWE-434.

Any authenticated user granted file-upload permissions can exploit the flaw by uploading a malicious .htaccess file whose name is prefixed with a zero-width space. Successful upload enables the attacker to place executable content on the server and achieve arbitrary code execution.

The vulnerability is resolved in FreeScout 1.8.207. The project’s GitHub advisory and the referenced commit detail the corrected sanitization logic that now strips invisible characters prior to the dot-prefix validation.

EPSS for the CVE rose from a low baseline to a peak of 0.2300 (current value 0.1622), indicating measurable post-disclosure exploitation interest that warrants renewed attention from defenders.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on…

more

the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a patch bypass in the public-facing FreeScout web application, enabling remote code execution via crafted file upload, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-27636Same product: Freescout Freescout
CVE-2026-40496Same product: Freescout Freescout
CVE-2026-39384Same product: Freescout Freescout
CVE-2025-58163Same product: Freescout Freescout
CVE-2025-54366Same product: Freescout Freescout
CVE-2026-27637Same product: Freescout Freescout
CVE-2026-40498Same product: Freescout Freescout
CVE-2026-32752Same product: Freescout Freescout
CVE-2026-32754Same product: Freescout Freescout
CVE-2026-40497Same product: Freescout Freescout

Affected Assets

freescout
freescout
≤ 1.8.207

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces validation and sanitization of uploaded file names before storage, directly blocking the zero-width-space bypass of the dot-prefix check in sanitizeUploadedFileName().

prevent

Requires malicious-code scanning or execution restrictions on uploaded files, preventing the .htaccess-based RCE that results from the TOCTOU flaw.

prevent

Restricts uploadable file types and server-side execution capabilities, limiting the attack surface that allows an authenticated user to place executable .htaccess content.

References