VYPR
Unrated severityNVD Advisory· Published Feb 25, 2026· Updated Feb 25, 2026

FreeScout: Missing .htaccess in Restricted File Extensions Allows Remote Code Execution on Apache

CVE-2026-27636

Description

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in app/Misc/Helper.php does not include .htaccess or .user.ini files. On Apache servers with AllowOverride All (a common configuration), an authenticated user can upload a .htaccess file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Freescout/Freescoutllm-fuzzy2 versions
    <1.8.206+ 1 more
    • (no CPE)range: <1.8.206
    • (no CPE)range: < 1.8.206

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.