CVE-2026-28289
Published: 03 March 2026
Summary
CVE-2026-28289 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Freescout Freescout. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and CM-7 (Least Functionality).
Deeper analysis
FreeScout is a PHP-based help desk application built on the Laravel framework. CVE-2026-28289 is a patch-bypass vulnerability affecting version 1.8.206 and earlier that permits remote code execution. It resides in the sanitizeUploadedFileName function within app/Http/Helper.php, where a Time-of-Check to Time-of-Use flaw allows a zero-width space character to evade the dot-prefix check for .htaccess files before invisible-character sanitization occurs. The issue bypasses the fix originally introduced for CVE-2026-27636 and carries a CVSS 3.1 score of 10.0 under CWE-434.
Any authenticated user granted file-upload permissions can exploit the flaw by uploading a malicious .htaccess file whose name is prefixed with a zero-width space. Successful upload enables the attacker to place executable content on the server and achieve arbitrary code execution.
The vulnerability is resolved in FreeScout 1.8.207. The project’s GitHub advisory and the referenced commit detail the corrected sanitization logic that now strips invisible characters prior to the dot-prefix validation.
EPSS for the CVE rose from a low baseline to a peak of 0.2300 (current value 0.1622), indicating measurable post-disclosure exploitation interest that warrants renewed attention from defenders.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9347
Vulnerability details
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on…
more
the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a patch bypass in the public-facing FreeScout web application, enabling remote code execution via crafted file upload, directly mapping to exploitation of public-facing applications.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces validation and sanitization of uploaded file names before storage, directly blocking the zero-width-space bypass of the dot-prefix check in sanitizeUploadedFileName().
Requires malicious-code scanning or execution restrictions on uploaded files, preventing the .htaccess-based RCE that results from the TOCTOU flaw.
Restricts uploadable file types and server-side execution capabilities, limiting the attack surface that allows an authenticated user to place executable .htaccess content.