CVE-2026-28289
Published: 03 March 2026
Summary
CVE-2026-28289 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Freescout Freescout. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of software flaws, directly mitigating the patch bypass and TOCTOU vulnerability by applying the fix in FreeScout 1.8.207.
Mandates validation of uploaded file names to reject malicious invisible characters like zero-width spaces before sanitization, preventing the bypass of dot-prefix checks.
Enforces restrictions on uploaded file types and extensions, blocking dangerous files like .htaccess regardless of name manipulation tricks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a patch bypass in the public-facing FreeScout web application, enabling remote code execution via crafted file upload, directly mapping to exploitation of public-facing applications.
NVD Description
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on…
more
the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.
Deeper analysisAI
CVE-2026-28289 is a patch bypass vulnerability affecting FreeScout, a free help desk and shared inbox application built with PHP's Laravel framework, in versions 1.8.206 and earlier. It circumvents protections added for the prior CVE-2026-27636 by exploiting a Time-of-Check to Time-of-Use (TOCTOU) flaw in the sanitizeUploadedFileName() function within app/Http/Helper.php. Attackers can upload a malicious .htaccess file prefixed with a zero-width space character, which evades the dot-prefix security check performed before invisible characters are sanitized, enabling server-side execution of arbitrary code.
Any authenticated user with file upload permissions can exploit this vulnerability remotely over the network with low complexity, achieving remote code execution (RCE) on the affected server. The CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) reflects its critical severity, including high impacts on confidentiality, integrity, and availability with changed scope.
The vulnerability is fixed in FreeScout version 1.8.207, as detailed in the project's GitHub security advisory (GHSA-5gpc-65p8-ffwp) and the patching commit (f7bc16c56a6b13c06da52ad51fd666546b40818f). Security practitioners should upgrade to the patched version immediately and review file upload configurations to restrict permissions where possible. Additional analysis is available in the OX Security blog post on the issue.
Details
- CWE(s)