CVE-2026-28289 is a patch-bypass vulnerability in FreeScout, the PHP/Laravel-based help desk and shared inbox platform. It affects FreeScout 1.8.206 and earlier and bypasses the prior fix for CVE-2026-27636. The flaw is in sanitizeUploadedFileName() in app/Http/Helper.php, where a dot-prefix validation check is performed before sanitization removes invisible characters. By prepending a zero-width space (U+200B) to a filename, an attacker can evade the dotfile restriction during the check phase; later processing strips the invisible character, causing the file to be stored under its dangerous original name, such as .htaccess. This enables upload of a malicious .htaccess file that can alter Apache handling so attacker-controlled uploaded content is executed as PHP, resulting in remote code execution. The vendor description specifically states authenticated users with file upload permissions can exploit this path; supporting reporting also describes escalation to unauthenticated, zero-click exploitation when FreeScout is configured to ingest email attachments into a mailbox.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
Patch, then assume compromise.
1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (1 hidden).
Repository contains a single Python PoC exploit (Mail2Shell.py) and a detailed README. The exploit targets the claimed FreeScout vulnerability CVE-2026-28289 ("Mail2Shell"), described as a zero-click, unauthenticated RCE via inbound email attachment handling. Core behavior: the script interactively collects SMTP server/port/credentials and From/To addresses, then creates two local files: (1) a malicious .htaccess whose filename is prefixed with a zero-width Unicode character (\u200b) to bypass FreeScout filename sanitization, and (2) webshell.txt containing a minimal PHP command-execution webshell using the GET parameter cmd. It emails both as attachments to a FreeScout mailbox. If the target stores attachments under a web-accessible path and Apache honors .htaccess (AllowOverride enabled), the .htaccess causes .txt files to be treated as PHP, enabling remote command execution by visiting the uploaded webshell URL. The script does not automatically discover the uploaded attachment path; instead it prints operator instructions to SSH into the server and run: find /var/www/html/storage/attachment -name webshell.txt -type f, then access the resulting path via HTTP to execute commands (whoami/id). This is an operational PoC with a hardcoded webshell payload and manual post-exploitation steps.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
31 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An unauthenticated remote code execution vulnerability in FreeScout involving ZWSP/.htaccess, referenced as a Metasploit module PR.
An unauthenticated, zero-click remote code execution vulnerability in FreeScout that can be triggered by sending a specially crafted email to a FreeScout mailbox, potentially leading to server takeover.
A FreeScout file-upload restriction bypass (using a leading zero-width space U+200B) that enables overwriting of .htaccess and subsequent PHP execution, effectively enabling RCE; can be escalated from authenticated to unauthenticated RCE on internet-exposed instances by emailing malicious attachments to a configured mailbox.
A zero-click, unauthenticated remote code execution chain in FreeScout that bypasses a prior incomplete fix by abusing a Zero-Width Space (U+200B) in attachment filenames to evade upload validation, resulting in a web-accessible payload and server-side command execution.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.