CVE-2026-28289

{"id": "CVE-2026-28289", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.2}]}, "published": "2026-03-03T23:15:56.550", "references": [{"url": "https://github.com/freescout-help-desk/freescout/commit/f7bc16c56a6b13c06da52ad51fd666546b40818f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-5gpc-65p8-ffwp", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://www.ox.security/blog/freescout-rce-cve-2026-28289/", "tags": ["Exploit", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-434"}]}], "descriptions": [{"lang": "en", "value": "FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with file upload permissions to achieve Remote Code Execution (RCE) on the server by uploading a malicious .htaccess file using a zero-width space character prefix to bypass the security check. The vulnerability exists in the sanitizeUploadedFileName() function in app/Http/Helper.php. The function contains a Time-of-Check to Time-of-Use (TOCTOU) flaw where the dot-prefix check occurs before sanitization removes invisible characters. This vulnerability is fixed in 1.8.207."}, {"lang": "es", "value": "FreeScout es una mesa de ayuda gratuita y una bandeja de entrada compartida construida con el framework Laravel de PHP. Una vulnerabilidad de omisi\u00f3n de parche para CVE-2026-27636 en FreeScout 1.8.206 y anteriores permite a cualquier usuario autenticado con permisos de carga de archivos lograr Ejecuci\u00f3n Remota de C\u00f3digo (RCE) en el servidor mediante la carga de un archivo .htaccess malicioso utilizando un prefijo de car\u00e1cter de espacio de ancho cero para omitir la verificaci\u00f3n de seguridad. La vulnerabilidad existe en la funci\u00f3n sanitizeUploadedFileName() en app/Http/Helper.php. La funci\u00f3n contiene una falla de Tiempo de Verificaci\u00f3n a Tiempo de Uso (TOCTOU) donde la verificaci\u00f3n del prefijo de punto ocurre antes de que la sanitizaci\u00f3n elimine los caracteres invisibles. Esta vulnerabilidad est\u00e1 corregida en 1.8.207."}], "lastModified": "2026-03-11T19:29:44.933", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:freescout:freescout:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F5903DB5-FCA5-4162-869D-15FFF4B2A450", "versionEndExcluding": "1.8.207"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}