CVE-2026-27636

moderate-risk
Published 2026-02-25

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.

Do I need to act?

!
22.5% chance of exploitation in next 30 days
EPSS score — higher than 78% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Freescout

References (5)

Patch https://github.com/freescout-help-desk/freescout/commit/9984071e6f1b4e633fdcffce...
Not Applicable https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v...
Exploit https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x...
Not Applicable https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-6gcm-v...
Exploit https://github.com/freescout-help-desk/freescout/security/advisories/GHSA-mw88-x...
49
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 14/34 · Moderate
Exposure 5/34 · Minimal