CVE-2026-27636 - Vulnerability Analysis

Overview

FreeScout < 1.8.206 contains a remote code execution vulnerability caused by missing file upload restrictions for .htaccess and .user.ini files in app/Misc/Helper.php, letting authenticated users upload malicious files on Apache servers with AllowOverride All.

Severity & Score

Impact

Authenticated users can execute arbitrary code remotely by uploading malicious configuration files, potentially compromising the server.

Mitigation

Upgrade to version 1.8.206 or later.

References

• https://github.com/freescout-help-desk/freescout/commit/9984071e6f1b4e633fdcffcea82bbebc9c1e009c
• https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v8xf-j9v9
• https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x7j3-74vc

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 4, 2026

🔴 CVE-2026-28289 - Critical (10) FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code E... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-28289/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

GitHub Repositories(1 repo)

• https://github.com/rav1010/CVE-2026-27636

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner