Cyber Resilience

CVE-2026-41193

Critical

Published: 21 April 2026

Published
21 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0039 30.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-41193 is a critical-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-41193 is a path traversal vulnerability (CWE-22) in the module installation feature of FreeScout, a free self-hosted help desk and shared mailbox application. Prior to version 1.8.215, the feature extracts ZIP archives without validating file paths, enabling arbitrary file writes on the server filesystem. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H), reflecting its critical severity due to high confidentiality, integrity, and availability impacts with changed scope.

An authenticated administrator (PR:H) can exploit this vulnerability remotely over the network (AV:N) with low complexity (AC:L) by uploading a specially crafted ZIP archive during module installation. Successful exploitation allows arbitrary file writes anywhere on the server filesystem, potentially leading to remote code execution, privilege escalation, or full server compromise depending on the write location and permissions.

Mitigation is addressed in FreeScout version 1.8.215, which fixes the ZIP extraction validation issue. Security practitioners should upgrade to this version immediately. Relevant resources include the fix commit at https://github.com/freescout-help-desk/freescout/commit/14f17a5cd22d217103a72b431b47b1f06996227b, the release page at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215, and the GitHub security advisory at https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-r85m-5mc9-cc9w.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating file paths, allowing an authenticated admin to write files arbitrarily on the server filesystem via a specially…

more

crafted ZIP. Version 1.8.215 fixes the vulnerability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in web app ZIP extraction enables arbitrary file writes, directly facilitating exploitation of public-facing application (T1190) and web shell deployment for RCE (T1100).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24406Shared CWE-22
CVE-2026-24848Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2026-36760Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-7519Shared CWE-22
CVE-2019-25480Shared CWE-22
CVE-2026-39844Shared CWE-22
CVE-2026-34607Shared CWE-22

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates path traversal in ZIP extraction by enforcing validation of file paths during module installation.

prevent

Requires timely application of patches like FreeScout 1.8.215 to remediate the ZIP path validation flaw.

prevent

Restricts or approves user-installed modules, reducing risks from uploading unvalidated ZIP archives.

References