Vulnerability Details CVE-2026-28289
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 11.0%
CVSS Severity
CVSS v3 Score 10.0
References
Products affected by CVE-2026-28289
-
cpe:2.3:a:freescout:freescout:-
-
cpe:2.3:a:freescout:freescout:1.0.0
-
cpe:2.3:a:freescout:freescout:1.0.2
-
cpe:2.3:a:freescout:freescout:1.0.3
-
cpe:2.3:a:freescout:freescout:1.0.4
-
cpe:2.3:a:freescout:freescout:1.0.5
-
cpe:2.3:a:freescout:freescout:1.0.6
-
cpe:2.3:a:freescout:freescout:1.0.7
-
cpe:2.3:a:freescout:freescout:1.0.8
-
cpe:2.3:a:freescout:freescout:1.0.9
-
cpe:2.3:a:freescout:freescout:1.1.0
-
cpe:2.3:a:freescout:freescout:1.1.1
-
cpe:2.3:a:freescout:freescout:1.1.10
-
cpe:2.3:a:freescout:freescout:1.1.2
-
cpe:2.3:a:freescout:freescout:1.1.3
-
cpe:2.3:a:freescout:freescout:1.1.4
-
cpe:2.3:a:freescout:freescout:1.1.5
-
cpe:2.3:a:freescout:freescout:1.1.6
-
cpe:2.3:a:freescout:freescout:1.1.7
-
cpe:2.3:a:freescout:freescout:1.1.8
-
cpe:2.3:a:freescout:freescout:1.1.9
-
cpe:2.3:a:freescout:freescout:1.2.0
-
cpe:2.3:a:freescout:freescout:1.2.1
-
cpe:2.3:a:freescout:freescout:1.2.2
-
cpe:2.3:a:freescout:freescout:1.2.3
-
cpe:2.3:a:freescout:freescout:1.2.4
-
cpe:2.3:a:freescout:freescout:1.2.5
-
cpe:2.3:a:freescout:freescout:1.2.6
-
cpe:2.3:a:freescout:freescout:1.3.0
-
cpe:2.3:a:freescout:freescout:1.3.1
-
cpe:2.3:a:freescout:freescout:1.3.10
-
cpe:2.3:a:freescout:freescout:1.3.11
-
cpe:2.3:a:freescout:freescout:1.3.12
-
cpe:2.3:a:freescout:freescout:1.3.13
-
cpe:2.3:a:freescout:freescout:1.3.14
-
cpe:2.3:a:freescout:freescout:1.3.15
-
cpe:2.3:a:freescout:freescout:1.3.16
-
cpe:2.3:a:freescout:freescout:1.3.17
-
cpe:2.3:a:freescout:freescout:1.3.18
-
cpe:2.3:a:freescout:freescout:1.3.19
-
cpe:2.3:a:freescout:freescout:1.3.2
-
cpe:2.3:a:freescout:freescout:1.3.3
-
cpe:2.3:a:freescout:freescout:1.3.4
-
cpe:2.3:a:freescout:freescout:1.3.5
-
cpe:2.3:a:freescout:freescout:1.3.6
-
cpe:2.3:a:freescout:freescout:1.3.7
-
cpe:2.3:a:freescout:freescout:1.3.8
-
cpe:2.3:a:freescout:freescout:1.3.9
-
cpe:2.3:a:freescout:freescout:1.4.0
-
cpe:2.3:a:freescout:freescout:1.4.1
-
cpe:2.3:a:freescout:freescout:1.4.10
-
cpe:2.3:a:freescout:freescout:1.4.11
-
cpe:2.3:a:freescout:freescout:1.4.12
-
cpe:2.3:a:freescout:freescout:1.4.2
-
cpe:2.3:a:freescout:freescout:1.4.3
-
cpe:2.3:a:freescout:freescout:1.4.4
-
cpe:2.3:a:freescout:freescout:1.4.6
-
cpe:2.3:a:freescout:freescout:1.4.7
-
cpe:2.3:a:freescout:freescout:1.4.8
-
cpe:2.3:a:freescout:freescout:1.4.9
-
cpe:2.3:a:freescout:freescout:1.5.0
-
cpe:2.3:a:freescout:freescout:1.5.1
-
cpe:2.3:a:freescout:freescout:1.5.10
-
cpe:2.3:a:freescout:freescout:1.5.11
-
cpe:2.3:a:freescout:freescout:1.5.12
-
cpe:2.3:a:freescout:freescout:1.5.13
-
cpe:2.3:a:freescout:freescout:1.5.14
-
cpe:2.3:a:freescout:freescout:1.5.15
-
cpe:2.3:a:freescout:freescout:1.5.2
-
cpe:2.3:a:freescout:freescout:1.5.3
-
cpe:2.3:a:freescout:freescout:1.5.4
-
cpe:2.3:a:freescout:freescout:1.5.5
-
cpe:2.3:a:freescout:freescout:1.5.6
-
cpe:2.3:a:freescout:freescout:1.5.7
-
cpe:2.3:a:freescout:freescout:1.5.8
-
cpe:2.3:a:freescout:freescout:1.5.9
-
cpe:2.3:a:freescout:freescout:1.6.0
-
cpe:2.3:a:freescout:freescout:1.6.1
-
cpe:2.3:a:freescout:freescout:1.6.10
-
cpe:2.3:a:freescout:freescout:1.6.11
-
cpe:2.3:a:freescout:freescout:1.6.12
-
cpe:2.3:a:freescout:freescout:1.6.13
-
cpe:2.3:a:freescout:freescout:1.6.14
-
cpe:2.3:a:freescout:freescout:1.6.15
-
cpe:2.3:a:freescout:freescout:1.6.16
-
cpe:2.3:a:freescout:freescout:1.6.17
-
cpe:2.3:a:freescout:freescout:1.6.18
-
cpe:2.3:a:freescout:freescout:1.6.19
-
cpe:2.3:a:freescout:freescout:1.6.2
-
cpe:2.3:a:freescout:freescout:1.6.20
-
cpe:2.3:a:freescout:freescout:1.6.3
-
cpe:2.3:a:freescout:freescout:1.6.4
-
cpe:2.3:a:freescout:freescout:1.6.5
-
cpe:2.3:a:freescout:freescout:1.6.6
-
cpe:2.3:a:freescout:freescout:1.6.7
-
cpe:2.3:a:freescout:freescout:1.6.8
-
cpe:2.3:a:freescout:freescout:1.6.9
-
cpe:2.3:a:freescout:freescout:1.7.0
-
cpe:2.3:a:freescout:freescout:1.7.1
-
cpe:2.3:a:freescout:freescout:1.7.10
-
cpe:2.3:a:freescout:freescout:1.7.11
-
cpe:2.3:a:freescout:freescout:1.7.12
-
cpe:2.3:a:freescout:freescout:1.7.13
-
cpe:2.3:a:freescout:freescout:1.7.14
-
cpe:2.3:a:freescout:freescout:1.7.15
-
cpe:2.3:a:freescout:freescout:1.7.16
-
cpe:2.3:a:freescout:freescout:1.7.17
-
cpe:2.3:a:freescout:freescout:1.7.18
-
cpe:2.3:a:freescout:freescout:1.7.19
-
cpe:2.3:a:freescout:freescout:1.7.2
-
cpe:2.3:a:freescout:freescout:1.7.20
-
cpe:2.3:a:freescout:freescout:1.7.21
-
cpe:2.3:a:freescout:freescout:1.7.22
-
cpe:2.3:a:freescout:freescout:1.7.23
-
cpe:2.3:a:freescout:freescout:1.7.24
-
cpe:2.3:a:freescout:freescout:1.7.25
-
cpe:2.3:a:freescout:freescout:1.7.26
-
cpe:2.3:a:freescout:freescout:1.7.27
-
cpe:2.3:a:freescout:freescout:1.7.28
-
cpe:2.3:a:freescout:freescout:1.7.29
-
cpe:2.3:a:freescout:freescout:1.7.3
-
cpe:2.3:a:freescout:freescout:1.7.30
-
cpe:2.3:a:freescout:freescout:1.7.4
-
cpe:2.3:a:freescout:freescout:1.7.5
-
cpe:2.3:a:freescout:freescout:1.7.6
-
cpe:2.3:a:freescout:freescout:1.7.7
-
cpe:2.3:a:freescout:freescout:1.7.9
-
cpe:2.3:a:freescout:freescout:1.8.0
-
cpe:2.3:a:freescout:freescout:1.8.1
-
cpe:2.3:a:freescout:freescout:1.8.10
-
cpe:2.3:a:freescout:freescout:1.8.100
-
cpe:2.3:a:freescout:freescout:1.8.101
-
cpe:2.3:a:freescout:freescout:1.8.102
-
cpe:2.3:a:freescout:freescout:1.8.103
-
cpe:2.3:a:freescout:freescout:1.8.104
-
cpe:2.3:a:freescout:freescout:1.8.105
-
cpe:2.3:a:freescout:freescout:1.8.106
-
cpe:2.3:a:freescout:freescout:1.8.107
-
cpe:2.3:a:freescout:freescout:1.8.108
-
cpe:2.3:a:freescout:freescout:1.8.109
-
cpe:2.3:a:freescout:freescout:1.8.11
-
cpe:2.3:a:freescout:freescout:1.8.110
-
cpe:2.3:a:freescout:freescout:1.8.111
-
cpe:2.3:a:freescout:freescout:1.8.112
-
cpe:2.3:a:freescout:freescout:1.8.113
-
cpe:2.3:a:freescout:freescout:1.8.114
-
cpe:2.3:a:freescout:freescout:1.8.115
-
cpe:2.3:a:freescout:freescout:1.8.116
-
cpe:2.3:a:freescout:freescout:1.8.117
-
cpe:2.3:a:freescout:freescout:1.8.118
-
cpe:2.3:a:freescout:freescout:1.8.119
-
cpe:2.3:a:freescout:freescout:1.8.12
-
cpe:2.3:a:freescout:freescout:1.8.120
-
cpe:2.3:a:freescout:freescout:1.8.121
-
cpe:2.3:a:freescout:freescout:1.8.122
-
cpe:2.3:a:freescout:freescout:1.8.123
-
cpe:2.3:a:freescout:freescout:1.8.124
-
cpe:2.3:a:freescout:freescout:1.8.125
-
cpe:2.3:a:freescout:freescout:1.8.126
-
cpe:2.3:a:freescout:freescout:1.8.127
-
cpe:2.3:a:freescout:freescout:1.8.128
-
cpe:2.3:a:freescout:freescout:1.8.129
-
cpe:2.3:a:freescout:freescout:1.8.13
-
cpe:2.3:a:freescout:freescout:1.8.130
-
cpe:2.3:a:freescout:freescout:1.8.131
-
cpe:2.3:a:freescout:freescout:1.8.132
-
cpe:2.3:a:freescout:freescout:1.8.133
-
cpe:2.3:a:freescout:freescout:1.8.134
-
cpe:2.3:a:freescout:freescout:1.8.135
-
cpe:2.3:a:freescout:freescout:1.8.136
-
cpe:2.3:a:freescout:freescout:1.8.137
-
cpe:2.3:a:freescout:freescout:1.8.138
-
cpe:2.3:a:freescout:freescout:1.8.139
-
cpe:2.3:a:freescout:freescout:1.8.14
-
cpe:2.3:a:freescout:freescout:1.8.140
-
cpe:2.3:a:freescout:freescout:1.8.141
-
cpe:2.3:a:freescout:freescout:1.8.142
-
cpe:2.3:a:freescout:freescout:1.8.143
-
cpe:2.3:a:freescout:freescout:1.8.144
-
cpe:2.3:a:freescout:freescout:1.8.145
-
cpe:2.3:a:freescout:freescout:1.8.146
-
cpe:2.3:a:freescout:freescout:1.8.147
-
cpe:2.3:a:freescout:freescout:1.8.148
-
cpe:2.3:a:freescout:freescout:1.8.149
-
cpe:2.3:a:freescout:freescout:1.8.15
-
cpe:2.3:a:freescout:freescout:1.8.150
-
cpe:2.3:a:freescout:freescout:1.8.151
-
cpe:2.3:a:freescout:freescout:1.8.152
-
cpe:2.3:a:freescout:freescout:1.8.153
-
cpe:2.3:a:freescout:freescout:1.8.154
-
cpe:2.3:a:freescout:freescout:1.8.155
-
cpe:2.3:a:freescout:freescout:1.8.156
-
cpe:2.3:a:freescout:freescout:1.8.157
-
cpe:2.3:a:freescout:freescout:1.8.158
-
cpe:2.3:a:freescout:freescout:1.8.159
-
cpe:2.3:a:freescout:freescout:1.8.16
-
cpe:2.3:a:freescout:freescout:1.8.160
-
cpe:2.3:a:freescout:freescout:1.8.161
-
cpe:2.3:a:freescout:freescout:1.8.162
-
cpe:2.3:a:freescout:freescout:1.8.163
-
cpe:2.3:a:freescout:freescout:1.8.164
-
cpe:2.3:a:freescout:freescout:1.8.165
-
cpe:2.3:a:freescout:freescout:1.8.166
-
cpe:2.3:a:freescout:freescout:1.8.167
-
cpe:2.3:a:freescout:freescout:1.8.168
-
cpe:2.3:a:freescout:freescout:1.8.169
-
cpe:2.3:a:freescout:freescout:1.8.17
-
cpe:2.3:a:freescout:freescout:1.8.170
-
cpe:2.3:a:freescout:freescout:1.8.171
-
cpe:2.3:a:freescout:freescout:1.8.172
-
cpe:2.3:a:freescout:freescout:1.8.173
-
cpe:2.3:a:freescout:freescout:1.8.174
-
cpe:2.3:a:freescout:freescout:1.8.175
-
cpe:2.3:a:freescout:freescout:1.8.176
-
cpe:2.3:a:freescout:freescout:1.8.177
-
cpe:2.3:a:freescout:freescout:1.8.178
-
cpe:2.3:a:freescout:freescout:1.8.179
-
cpe:2.3:a:freescout:freescout:1.8.18
-
cpe:2.3:a:freescout:freescout:1.8.180
-
cpe:2.3:a:freescout:freescout:1.8.181
-
cpe:2.3:a:freescout:freescout:1.8.182
-
cpe:2.3:a:freescout:freescout:1.8.183
-
cpe:2.3:a:freescout:freescout:1.8.184
-
cpe:2.3:a:freescout:freescout:1.8.185
-
cpe:2.3:a:freescout:freescout:1.8.186
-
cpe:2.3:a:freescout:freescout:1.8.187
-
cpe:2.3:a:freescout:freescout:1.8.188
-
cpe:2.3:a:freescout:freescout:1.8.189
-
cpe:2.3:a:freescout:freescout:1.8.19
-
cpe:2.3:a:freescout:freescout:1.8.190
-
cpe:2.3:a:freescout:freescout:1.8.191
-
cpe:2.3:a:freescout:freescout:1.8.192
-
cpe:2.3:a:freescout:freescout:1.8.2
-
cpe:2.3:a:freescout:freescout:1.8.20
-
cpe:2.3:a:freescout:freescout:1.8.21
-
cpe:2.3:a:freescout:freescout:1.8.22
-
cpe:2.3:a:freescout:freescout:1.8.23
-
cpe:2.3:a:freescout:freescout:1.8.24
-
cpe:2.3:a:freescout:freescout:1.8.25
-
cpe:2.3:a:freescout:freescout:1.8.26
-
cpe:2.3:a:freescout:freescout:1.8.27
-
cpe:2.3:a:freescout:freescout:1.8.28
-
cpe:2.3:a:freescout:freescout:1.8.29
-
cpe:2.3:a:freescout:freescout:1.8.3
-
cpe:2.3:a:freescout:freescout:1.8.30
-
cpe:2.3:a:freescout:freescout:1.8.31
-
cpe:2.3:a:freescout:freescout:1.8.32
-
cpe:2.3:a:freescout:freescout:1.8.33
-
cpe:2.3:a:freescout:freescout:1.8.34
-
cpe:2.3:a:freescout:freescout:1.8.35
-
cpe:2.3:a:freescout:freescout:1.8.36
-
cpe:2.3:a:freescout:freescout:1.8.37
-
cpe:2.3:a:freescout:freescout:1.8.38
-
cpe:2.3:a:freescout:freescout:1.8.39
-
cpe:2.3:a:freescout:freescout:1.8.4
-
cpe:2.3:a:freescout:freescout:1.8.40
-
cpe:2.3:a:freescout:freescout:1.8.41
-
cpe:2.3:a:freescout:freescout:1.8.42
-
cpe:2.3:a:freescout:freescout:1.8.43
-
cpe:2.3:a:freescout:freescout:1.8.44
-
cpe:2.3:a:freescout:freescout:1.8.45
-
cpe:2.3:a:freescout:freescout:1.8.46
-
cpe:2.3:a:freescout:freescout:1.8.47
-
cpe:2.3:a:freescout:freescout:1.8.48
-
cpe:2.3:a:freescout:freescout:1.8.49
-
cpe:2.3:a:freescout:freescout:1.8.5
-
cpe:2.3:a:freescout:freescout:1.8.50
-
cpe:2.3:a:freescout:freescout:1.8.51
-
cpe:2.3:a:freescout:freescout:1.8.52
-
cpe:2.3:a:freescout:freescout:1.8.53
-
cpe:2.3:a:freescout:freescout:1.8.54
-
cpe:2.3:a:freescout:freescout:1.8.55
-
cpe:2.3:a:freescout:freescout:1.8.56
-
cpe:2.3:a:freescout:freescout:1.8.57
-
cpe:2.3:a:freescout:freescout:1.8.58
-
cpe:2.3:a:freescout:freescout:1.8.59
-
cpe:2.3:a:freescout:freescout:1.8.6
-
cpe:2.3:a:freescout:freescout:1.8.60
-
cpe:2.3:a:freescout:freescout:1.8.61
-
cpe:2.3:a:freescout:freescout:1.8.62
-
cpe:2.3:a:freescout:freescout:1.8.63
-
cpe:2.3:a:freescout:freescout:1.8.65
-
cpe:2.3:a:freescout:freescout:1.8.66
-
cpe:2.3:a:freescout:freescout:1.8.67
-
cpe:2.3:a:freescout:freescout:1.8.68
-
cpe:2.3:a:freescout:freescout:1.8.69
-
cpe:2.3:a:freescout:freescout:1.8.7
-
cpe:2.3:a:freescout:freescout:1.8.70
-
cpe:2.3:a:freescout:freescout:1.8.71
-
cpe:2.3:a:freescout:freescout:1.8.72
-
cpe:2.3:a:freescout:freescout:1.8.73
-
cpe:2.3:a:freescout:freescout:1.8.74
-
cpe:2.3:a:freescout:freescout:1.8.75
-
cpe:2.3:a:freescout:freescout:1.8.76
-
cpe:2.3:a:freescout:freescout:1.8.77
-
cpe:2.3:a:freescout:freescout:1.8.78
-
cpe:2.3:a:freescout:freescout:1.8.79
-
cpe:2.3:a:freescout:freescout:1.8.8
-
cpe:2.3:a:freescout:freescout:1.8.80
-
cpe:2.3:a:freescout:freescout:1.8.81
-
cpe:2.3:a:freescout:freescout:1.8.82
-
cpe:2.3:a:freescout:freescout:1.8.83
-
cpe:2.3:a:freescout:freescout:1.8.84
-
cpe:2.3:a:freescout:freescout:1.8.85
-
cpe:2.3:a:freescout:freescout:1.8.86
-
cpe:2.3:a:freescout:freescout:1.8.87
-
cpe:2.3:a:freescout:freescout:1.8.88
-
cpe:2.3:a:freescout:freescout:1.8.89
-
cpe:2.3:a:freescout:freescout:1.8.9
-
cpe:2.3:a:freescout:freescout:1.8.90
-
cpe:2.3:a:freescout:freescout:1.8.91
-
cpe:2.3:a:freescout:freescout:1.8.92
-
cpe:2.3:a:freescout:freescout:1.8.93
-
cpe:2.3:a:freescout:freescout:1.8.94
-
cpe:2.3:a:freescout:freescout:1.8.95
-
cpe:2.3:a:freescout:freescout:1.8.96
-
cpe:2.3:a:freescout:freescout:1.8.97
-
cpe:2.3:a:freescout:freescout:1.8.98
-
cpe:2.3:a:freescout:freescout:1.8.99