What is the CVSS score of CVE-2026-27636?

CVE-2026-27636 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of PHP are affected by CVE-2026-27636?

FreeScout help desk systems prior to version 1.8.206 contain a critical file upload vulnerability that allows authenticated users to execute arbitrary code on affected servers.. A patch is available.

Is there a public PoC exploit available for CVE-2026-27636?

Yes, a public proof-of-concept exploit is available for CVE-2026-27636. Prioritise patching immediately. EPSS: 0.3%.

PHP CVE-2026-27636

HIGH

Unrestricted Upload of File with Dangerous Type (CWE-434)

2026-02-25 security-advisories@github.com

PHP RCE Apache Laravel Freescout

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Feb 26, 2026 - 16:07 vuln.today

Public exploit code

Patch released

Feb 26, 2026 - 16:07 nvd

Patch available

CVE Published

Feb 25, 2026 - 04:16 nvd

HIGH 8.8

DescriptionNVD

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.206, FreeScout's file upload restriction list in app/Misc/Helper.php does not include .htaccess or .user.ini files. On Apache servers with AllowOverride All (a common configuration), an authenticated user can upload a .htaccess file to redefine how files are processed, enabling Remote Code Execution. This vulnerability can be exploited on its own or in combination with CVE-2026-27637. Version 1.8.206 fixes both vulnerabilities.

AnalysisAI

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload .htaccess files that bypass file upload restrictions, enabling arbitrary code execution on Apache servers with AllowOverride All enabled. Public exploit code exists for this vulnerability. …

RemediationAI

Within 24 hours: Identify all FreeScout instances and their current versions; assess whether affected versions are deployed in production. Within 7 days: Apply vendor patch to version 1.8.206 or later on all FreeScout installations; if patching is not immediately feasible, implement the compensating control below. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

CVE-2026-43828 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue

CVE-2026-44598 MEDIUM This Month

5.1 May 25

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu

CVE-2026-27636 vulnerability details – vuln.today

Back

PHP CVE-2026-27636

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code