2026-02-25 03:41:33
GitHub_M
PUBLISHED
FreeScout is a free help desk and shared inbox built with PHPs Laravel framework. Prior to version 1.8.206, FreeScouts file upload restriction list in `app/Misc/Helper.php` does not include `.htaccess` or `.user.ini` files. On Apache servers with `AllowOverride All` (a common configuration), an authenticated user can upload a `.htaccess` file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.