CVE-2026-41193
Published: 21 April 2026
Summary
CVE-2026-41193 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates path traversal in ZIP extraction by enforcing validation of file paths during module installation.
Requires timely application of patches like FreeScout 1.8.215 to remediate the ZIP path validation flaw.
Restricts or approves user-installed modules, reducing risks from uploading unvalidated ZIP archives.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in web app ZIP extraction enables arbitrary file writes, directly facilitating exploitation of public-facing application (T1190) and web shell deployment for RCE (T1100).
NVD Description
FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating file paths, allowing an authenticated admin to write files arbitrarily on the server filesystem via a specially…
more
crafted ZIP. Version 1.8.215 fixes the vulnerability.
Deeper analysisAI
CVE-2026-41193 is a path traversal vulnerability (CWE-22) in the module installation feature of FreeScout, a free self-hosted help desk and shared mailbox application. Prior to version 1.8.215, the feature extracts ZIP archives without validating file paths, enabling arbitrary file writes on the server filesystem. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting its critical severity due to high confidentiality, integrity, and availability impacts with changed scope.
An authenticated administrator (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) by uploading a specially crafted ZIP archive during module installation. Successful exploitation allows arbitrary file writes anywhere on the server filesystem, potentially leading to remote code execution, privilege escalation, or full server compromise depending on the write location and permissions.
Mitigation is addressed in FreeScout version 1.8.215, which fixes the ZIP extraction validation issue. Security practitioners should upgrade to this version immediately. Relevant resources include the fix commit at https://github.com/freescout-help-desk/freescout/commit/14f17a5cd22d217103a72b431b47b1f06996227b, the release page at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215, and the GitHub security advisory at https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-r85m-5mc9-cc9w.
Details
- CWE(s)