CVE-2026-28289: Php [PoC]
CVE-2026-28289
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. A patch bypass vulnerability for CVE-2026-27636 in FreeScout 1.8.206 and earlier allows any authenticated user with f...
Overview
A critical security vulnerability has been identified in FreeScout, a widely used help desk and shared inbox application. This flaw allows any authenticated user with basic file upload permissions to take complete control of the server hosting the application.
Vulnerability Explanation
In simple terms, the vulnerability is a bypass of a previous security fix. The application’s security check for uploaded files contains a timing flaw. When a user uploads a file, the system checks if the filename is dangerous (like .htaccess, a powerful configuration file) before it fully cleans the name. An attacker can exploit this gap by using a hidden, zero-width space character at the start of the filename (e.g., [zero-width-space].htaccess). The initial check doesn’t see the dangerous .htaccess part, but later steps remove the invisible character, leaving the malicious file in place. This allows the attacker to upload a harmful .htaccess file to execute arbitrary code on the server.
Potential Impact
The impact of this vulnerability is severe (CRITICAL, CVSS 10.0). A successful exploit leads to Remote Code Execution (RCE). This means an attacker with a standard user account in the help desk can:
- Gain full administrative control over the web server.
- Steal, modify, or delete sensitive customer support data and emails.
- Use the compromised server to attack other internal systems.
- Install persistent backdoors or malware.
Remediation and Mitigation
Immediate action is required for all FreeScout administrators.
Primary Fix:
- Upgrade immediately to FreeScout version 1.8.207 or later. This is the only complete solution, as it fixes the logic flaw in the
sanitizeUploadedFileName()function.
Immediate Mitigation (If Upgrade is Delayed):
- Restrict File Uploads: Review and minimize the number of user roles with file upload permissions. Apply the principle of least privilege.
- Web Server Hardening: Configure your web server (e.g., Apache, Nginx) to block direct access to, or execution of,
.htaccessfiles in user upload directories. - Monitor Logs: Closely monitor application and server logs for any unusual file upload activity, particularly attempts to upload files with dot-prefixes.
All users on versions 1.8.206 and earlier are vulnerable and should treat this patch as an urgent priority.
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Metasploit Modules
Weaponized exploit code — authorized use only
The Metasploit Framework modules below are production-ready exploit code maintained by Rapid7. Unlike random GitHub PoCs, these are vetted by Metasploit maintainers and integrated into a point-and-click exploitation framework used by red teams worldwide. The presence of an MSF module means this CVE is trivially exploitable at scale — patch immediately.
Authorized use only. Run only against systems you own or have explicit written permission to test. Using exploit code against systems you do not own is illegal in most jurisdictions and violates Yazoul's terms of use.
| Module | Source |
|---|---|
exploit/multi/http/freescout_htaccess_rce | View source |
1 Metasploit module indexed for this CVE. Source: rapid7/metasploit-framework.
Public PoC References
Unverified third-party code
These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).
Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.
| Repository | Stars |
|---|---|
| 0xBlackash/CVE-2026-28289 CVE-2026-28289 | ★ 1 |
Showing 1 of 1 known references. Source: nomi-sec/PoC-in-GitHub.
Related Advisories
Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Prior to 1.0.477, 1.1.12, and 1.2.12, Winter CMS allowed authenticated backend users to escalate their...
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's `TokenAuth` middleware uses a predictable authentication token computed as `MD5...
FileThingie 2.5.7 contains an arbitrary file upload vulnerability that allows attackers to upload malicious files by sending ZIP archives through the ft2.php endpoint. Attackers can upload ZIP files c...
WeGIA is a web manager for charitable institutions. Prior to version 3.6.6, a critical SQL injection vulnerability exists in the WeGIA application. The remover_produto_ocultar.php script uses extract(...
Other PHP Vulnerabilities
Jettweb PHP Hazir Rent A Car Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the arac_kateg...
Jettweb Php Hazir Ilan Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'kat' parameter....
Jettweb PHP Hazir Haber Sitesi Scripti V2 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting ...
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the videoid paramet...