A maximum-severity remote code execution vulnerability in the FreeScout helpdesk platform (CVE-2026-28289) allows unauthenticated attackers to achieve server compromise by delivering a single crafted email attachment. Researchers at OX Security say the flaw bypasses a previous fix (CVE-2026-27636) using a leading zero-width space to create executable dotfiles; administrators should upgrade to FreeScout 1.8.207 and consider disabling AllowOverrideAll in Apache. #FreeScout #CVE-2026-28289
Keypoints
- CVE-2026-28289 enables unauthenticated, zero-click remote code execution via a crafted email attachment.
- The flaw bypasses a prior CVE-2026-27636 fix by inserting a zero-width space before filenames to create dotfiles.
- Uploaded payloads are stored under /storage/attachment/ and can be accessed and executed through the web interface.
- All FreeScout versions up to 1.8.206 are affected; the issue is fixed in version 1.8.207.
- OX Security and the vendor advise immediate patching and recommend disabling AllowOverrideAll in Apache as an additional mitigation.