Skip to main content

FreeScout CVE-2026-41193

| EUVDEUVD-2026-24223 CRITICAL
Path Traversal (CWE-22)
2026-04-21 GitHub_M
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

7
Patch released
Apr 22, 2026 - 21:10 nvd
Patch available
Re-analysis Queued
Apr 21, 2026 - 21:22 vuln.today
cvss_changed
Patch available
Apr 21, 2026 - 19:01 EUVD
Analysis Generated
Apr 21, 2026 - 18:48 vuln.today
EUVD ID Assigned
Apr 21, 2026 - 17:45 euvd
EUVD-2026-24223
Analysis Generated
Apr 21, 2026 - 17:45 vuln.today
CVE Published
Apr 21, 2026 - 17:15 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without validating file paths, allowing an authenticated admin to write files arbitrarily on the server filesystem via a specially crafted ZIP. Version 1.8.215 fixes the vulnerability.

AnalysisAI

Arbitrary file write in FreeScout (prior to 1.8.215) allows authenticated administrators to achieve remote code execution by uploading malicious ZIP archives during module installation. The path traversal vulnerability (CWE-22) enables attackers to write files to any location on the server filesystem, including web-accessible directories where PHP shells can be placed. With CVSS 9.1 (Critical) and EPSS data not provided, the primary risk factor is the changed scope (S:C) indicating potential container/hosting infrastructure compromise beyond the application itself. No active exploitation confirmed (not in CISA KEV) and no public POC identified at time of analysis, though the fix commit provides implementation details that could facilitate exploit development.

Technical ContextAI

FreeScout is an open-source PHP-based help desk and shared inbox application. The vulnerability exists in the module installation subsystem, which processes ZIP archives containing module code and assets. The application fails to sanitize or validate file paths within ZIP entries before extraction, a classic ZIP Slip vulnerability pattern (CWE-22: Improper Limitation of a Pathname to a Restricted Directory). An attacker can craft ZIP entries with paths like '../../../var/www/html/shell.php' to escape the intended extraction directory. The affected CPE (cpe:2.3:a:freescout-help-desk:freescout:*:*:*:*:*:*:*:*) indicates all versions prior to 1.8.215 are vulnerable. The CVSS vector PR:H (high privileges required) confirms this requires admin-level access to the module installation feature, while S:C (changed scope) suggests the attacker can break out of the application security boundary to compromise the underlying web server or container.

RemediationAI

Upgrade immediately to FreeScout version 1.8.215 or later, available at https://github.com/freescout-help-desk/freescout/releases/tag/1.8.215. The fix implemented in commit 14f17a5cd22d217103a72b431b47b1f06996227b adds path validation during ZIP extraction to prevent directory traversal. For environments unable to upgrade immediately, implement compensating controls: restrict module installation functionality to a single trusted administrator account with strong MFA enforcement (reduces PR:H attack surface), monitor filesystem for unexpected file writes outside application directories using file integrity monitoring (detects exploitation attempts), and deploy FreeScout behind a web application firewall configured to detect path traversal patterns in upload requests (though this may not fully prevent ZIP-based attacks). Note that disabling module installation entirely via configuration may break legitimate administrative workflows. Each mitigation has trade-offs: restricted admin access increases operational friction, FIM generates investigation overhead, and WAF rules may cause false positives on legitimate module uploads. Patching to 1.8.215 remains the definitive solution with no functional impact.

CVE-2026-28289 CRITICAL POC
10.0 Mar 03

File upload bypass in FreeScout 1.8.206 — patch bypass for CVE-2026-27636. PoC and patch available. CVSS 10.0.

CVE-2026-27636 HIGH POC
8.8 Feb 25

Remote code execution in FreeScout prior to version 1.8.206 allows authenticated users to upload `.htaccess` files that

CVE-2026-27637 CRITICAL POC
9.8 Feb 25

Predictable password reset tokens in FreeScout help desk before 1.8.206. Weak random number generation allows attackers

CVE-2024-29185 CRITICAL POC
9.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated critical severity (CVSS 9.0), this vulnerability is remot

CVE-2024-29184 HIGH POC
8.0 Mar 22

FreeScout is a self-hosted help desk and shared mailbox. Rated high severity (CVSS 8.0), this vulnerability is remotely

CVE-2024-28186 HIGH POC
7.1 Mar 12

FreeScout is an open source help desk and shared inbox built with PHP. Rated high severity (CVSS 7.1), this vulnerabilit

CVE-2024-34698 MEDIUM POC
6.3 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.3), this vulnerability is r

CVE-2024-34697 MEDIUM POC
6.1 May 14

FreeScout is a free, self-hosted help desk and shared mailbox. Rated medium severity (CVSS 6.1), this vulnerability is r

CVE-2026-32754 CRITICAL
9.3 Mar 19

A stored cross-site scripting (XSS) vulnerability exists in FreeScout help desk software versions 1.8.208 and below, whe

CVE-2026-41902 CRITICAL
9.1 May 07

Unauthenticated account takeover in FreeScout versions prior to 1.8.217 allows remote attackers to gain permanent access

CVE-2026-40498 HIGH
8.9 Apr 21

Unauthenticated remote attackers can access administrative diagnostic endpoints in FreeScout versions prior to 1.8.213,

CVE-2026-40496 HIGH
8.8 Apr 21

Insecure token generation in FreeScout <1.8.213 allows unauthenticated remote attackers to download private email attach

Share

CVE-2026-41193 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy