CVSS 10.0 Unauthenticated Remote Code Execution in FreeScout (Public Proof-of-Concept Disclosed)
Ddos 
Security researchers have uncovered a maximum-score vulnerability in FreeScout, the popular open-source help desk and shared inbox platform. The flaw, tracked as CVE-2026-28289, carries a CVSS score of 10.0, the highest possible severity rating, as it allows for unauthenticated Remote Code Execution (RCE) via a clever “invisible” character trick.
FreeScout is widely used by organizations as a privacy-focused alternative to Zendesk and Help Scout. However, this latest discovery reveals that a patch designed to fix a previous vulnerability can be completely bypassed using a single, invisible character.
The vulnerability centers on the platform’s file upload sanitization logic in the app/Http/Helper.php file. The system was designed to block the upload of dangerous files, such as .htaccess, by checking if a filename starts with a dot.
However, researchers identified a Time-of-Check to Time-of-Use (TOCTOU) flaw. An attacker can prefix a filename with a Zero-Width Space (ZWSP) character (U+200B).
Because the ZWSP is technically the first character, the system’s “dot-check” sees that the filename does not start with a dot and allows the upload to proceed. After the security check, the system’s own sanitization process kicks in and strips out the “invisible” ZWSP character to ensure the filename is clean for the server. The resulting file is saved as a legitimate .htaccess file.
By uploading a malicious .htaccess file, an unauthenticated attacker can execute arbitrary system commands, leading to a full server compromise.
This vulnerability poses an existential threat to affected help desk installations. A successful exploit allows an attacker to:
- Access Private Data: Steal all stored emails, conversations, and sensitive attachments.
- Move Laterally: Use the compromised server as a foothold to attack internal corporate networks.
- Disrupt Services: Take the help desk offline or delete critical support data.
All FreeScout version 1.8.206 installations are vulnerable, particularly those running on Apache servers with AllowOverride All enabled.
The FreeScout team has released a critical security update to address the TOCTOU flaw by reordering the sanitization process. The new version ensures that all invisible and control characters are removed before the system checks for dangerous patterns like dot-prefixes.
If you are a FreeScout administrator, you are urged to upgrade to version 1.8.207 immediately to protect your data and infrastructure.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
