Home / Vulnerability Intelligence / CVE-2026-28289

CVE-2026-28289 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: March 5, 2026

FreeScout - Remote Code Execution

Published: March 3, 2026Updated: March 5, 2026PoC AvailableRemote Exploitable

Overview

FreeScout <= 1.8.206 contains a remote code execution caused by a TOCTOU flaw in sanitizeUploadedFileName() allowing authenticated users with file upload permissions to bypass checks via zero-width space prefixed .htaccess files.

Severity & Score

Severity: Critical

CVSS Score: 10.0

EPSS Score: 1767.8%(Probability of exploitation in next 30 days)

Impact

Authenticated users with file upload permissions can execute arbitrary code remotely, leading to full server compromise.

Mitigation

Upgrade to version 1.8.207 or later.

References

Social Media Activity(1 post)

Metasploit

@metasploit

Apr 3, 2026

Metasploit Framework is here with 5 new modules! Exploits for FreeScout (CVE-2026-28289) and Grav CMS (CVE-2025-50286) RCEs, plus a generic HTTP command execution module and a new Windows persistence technique. We also have a slew of bug fixes and enhancements including SOCKS proxy performance improvements #Metasploit https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-04-03-2026/1

View original post

GitHub Repositories(1 repo)

https://github.com/0xBlackash/CVE-2026-28289

Related Resources

Details

CVE ID: CVE-2026-28289
Severity: Critical
CVSS Score: 10.0
Type: unrestricted_file_upload
Status: confirmed
EPSS: 1767.8%
Social Posts: 1

CWE

CWE-434

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

1767.8%Probability of exploitation in the next 30 days