CVE-2026-28289 is a critical vulnerability affecting FreeScout, an open-source help desk and shared inbox application built on PHP's Laravel framework. The flaw exists in versions prior to 1.8.207 within the sanitizeUploadedFileName() function located in app/Http/Helper.php. This function attempts to prevent dangerous file uploads by checking for dot-prefixed filenames (e.g., .htaccess) before sanitizing the filename. However, it contains a Time-of-Check to Time-of-Use (TOCTOU) race condition where the check for a dot prefix occurs before the removal of invisible characters such as zero-width spaces. An attacker with authenticated file upload permissions can exploit this by prefixing a malicious .htaccess filename with a zero-width space character, bypassing the dot-prefix check. This allows uploading of files that can execute arbitrary code on the server, leading to Remote Code Execution (RCE). The vulnerability does not require additional user interaction beyond authentication and affects confidentiality, integrity, and availability of the affected system. Although no known exploits are currently reported in the wild, the vulnerability carries a CVSS 3.1 score of 10.0, indicating critical severity. The issue was reserved on 2026-02-26 and published on 2026-03-03. The vulnerability is fixed in FreeScout version 1.8.207, and users are strongly advised to upgrade to this or later versions to mitigate the risk.

The impact of CVE-2026-28289 is severe for organizations using vulnerable FreeScout versions. Successful exploitation grants an authenticated user with file upload permissions the ability to execute arbitrary code on the server, potentially leading to full system compromise. This jeopardizes the confidentiality of sensitive help desk data, the integrity of the application and its data, and the availability of the service. Attackers could deploy web shells, pivot within internal networks, exfiltrate data, or disrupt operations. Since FreeScout is used globally by organizations for customer support and internal ticketing, the vulnerability could affect a wide range of sectors including government, healthcare, finance, and enterprises relying on FreeScout for critical communication. The ease of exploitation, requiring only authentication and no user interaction, increases the risk of insider threats or compromised accounts being leveraged for attacks. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the critical severity demands immediate attention.

To mitigate CVE-2026-28289, organizations should immediately upgrade FreeScout to version 1.8.207 or later, where the vulnerability is patched. If immediate upgrade is not feasible, restrict file upload permissions strictly to trusted administrators and users, minimizing the attack surface. Implement additional server-side validation to detect and block filenames containing invisible or zero-width characters. Employ web application firewalls (WAFs) with custom rules to detect suspicious file upload patterns, including attempts to upload .htaccess or other configuration files with obfuscated names. Monitor file upload directories for unexpected or suspicious files and conduct regular integrity checks. Enforce strong authentication and session management to prevent account compromise. Additionally, consider isolating the FreeScout application environment with least privilege principles and containerization to limit the impact of potential exploitation. Maintain up-to-date backups and incident response plans to quickly recover from any compromise.