FreeScout disclosed two high-severity vulnerabilities affecting versions prior to 1.8.206 that can be exploited independently or chained: CVE-2026-27637 (predictable authentication token) and CVE-2026-27636 (unsafe file upload restrictions enabling Apache configuration abuse). CVE-2026-27637 stems from TokenAuth generating a static token as MD5(user_id + created_at + APP_KEY); if an attacker obtains the Laravel APP_KEY (a commonly exposed secret in misconfigured deployments), they can compute valid tokens for arbitrary users, including administrators, resulting in account takeover without a password.
CVE-2026-27636 is caused by FreeScout’s upload restriction list not blocking .htaccess and .user.ini; on Apache servers configured with AllowOverride All, an authenticated user can upload a .htaccess file to alter how files are processed and achieve remote code execution. Belgium’s CCB/Safeonweb urged immediate patching and noted no confirmed active exploitation as of 25 Feb 2026, while emphasizing that help desk platforms often contain sensitive customer data and can be leveraged for lateral movement. FreeScout fixed both issues in 1.8.206 via upstream commits and published GitHub security advisories for each CVE.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
Belgium's Centre for Cybersecurity Belgium published an advisory warning that critical FreeScout vulnerabilities could be exploited to achieve remote code execution and urged immediate patching. The advisory reflects official government-level notification of the risk.
Two critical FreeScout vulnerabilities were publicly disclosed: CVE-2026-27636, involving upload of .htaccess or .user.ini files that can lead to remote code execution on Apache with AllowOverride enabled, and CVE-2026-27637, involving predictable static authentication tokens that can enable takeover of arbitrary accounts if the Laravel APP_KEY is known. The disclosures note the flaws can also be chained together.
FreeScout version 1.8.206 was released to remediate two vulnerabilities: an unrestricted dangerous file upload issue enabling Apache-based remote code execution and a predictable authentication token flaw enabling account takeover. The fixes address versions prior to 1.8.206.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cvefeed.io
Open sourcecvefeed.io
Open sourceccb.belgium.be
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.