CVE-2026-28289 affects FreeScout, an open-source help desk and shared inbox application built on PHP's Laravel framework. The vulnerability stems from a Time-of-Check to Time-of-Use (TOCTOU) flaw in the sanitizeUploadedFileName() function located in app/Http/Helper.php. Specifically, the function checks for dangerous dot-prefixed filenames before sanitizing the filename to remove invisible characters such as zero-width spaces. Attackers exploit this by prefixing a .htaccess filename with a zero-width space character, which bypasses the initial check and allows the upload of a malicious .htaccess file. Since .htaccess files can control Apache web server behavior, this enables remote code execution (RCE) on the server. The exploit requires an authenticated user with file upload permissions but does not require elevated privileges beyond that or user interaction. The vulnerability is present in FreeScout versions 1.8.206 and earlier and was patched in version 1.8.207. The CVSS v3.1 base score is 10.0, reflecting the critical nature of the flaw with network attack vector, no privileges required beyond upload rights, no user interaction, and complete compromise of confidentiality, integrity, and availability. No known exploits have been reported in the wild as of the publication date. The root cause is improper sanitization order and inadequate handling of invisible Unicode characters in filenames, leading to a bypass of security checks.

The impact of CVE-2026-28289 is severe for organizations using vulnerable versions of FreeScout. Successful exploitation results in remote code execution on the server hosting FreeScout, allowing attackers to execute arbitrary commands with the web server's privileges. This can lead to full system compromise, data theft, destruction, or further lateral movement within the network. Confidentiality, integrity, and availability of the affected system are fully compromised. Since FreeScout is often used to manage customer support tickets and communications, sensitive customer data and internal communications could be exposed or manipulated. The vulnerability requires only authenticated users with upload permissions, which may be common in multi-user environments, increasing the attack surface. The ease of exploitation and critical impact make this a high-risk vulnerability that can lead to significant operational disruption, reputational damage, and regulatory consequences for affected organizations.

Organizations should immediately upgrade FreeScout to version 1.8.207 or later, where this vulnerability is patched. As a temporary mitigation, administrators can restrict file upload permissions to only fully trusted users and implement strict monitoring of uploaded files for suspicious filenames, especially those containing invisible Unicode characters or .htaccess files. Web server configurations can be hardened to disallow .htaccess overrides or restrict execution permissions in upload directories. Employing Web Application Firewalls (WAFs) with custom rules to detect and block suspicious file uploads can provide additional protection. Regularly audit user permissions and logs for unusual upload activity. Educate users about the risks of uploading files and enforce strong authentication and access controls. Finally, conduct penetration testing and vulnerability scanning focused on file upload functionalities to detect similar flaws proactively.