A critical vulnerability in the open source FreeScout help desk and shared mailbox solution can allow zero-click remote code execution, according to Ox Security. Tracked as CVE-2026-28289 (CVSS 10/10), the flaw is a patch bypass for CVE-2026-27636, a previously fixed authenticated RCE bug.
The issue stems from a TOCTOU filename sanitisation weakness that lets an attacker upload a .htaccess file, and can be bypassed by a zero-width space character, enabling the file to be saved as a true dotfile and used to execute commands remotely. The attack does not require authentication or user interaction, and an attacker can predict where the payload will be saved on disk to access it and run commands on the server.
If exploited, it could allow full control of vulnerable servers, exfiltration of tickets and mailbox content, and lateral movement on the network; all FreeScout 1.8.206 installations running Apache with AllowOverride All enabled are affected until the patch was released in version 1.8.207 on 4 March 2026.