CVE-2026-28289 — AI Deep Analysis Summary

🚨 **Essence**: A TOCTOU flaw in `sanitizeUploadedFileName` allows malicious file uploads. 💥 **Consequences**: Remote Code Execution (RCE) via `.htaccess` files.…

🛡️ **Root Cause**: **CWE-434** (Unrestricted Upload of File with Dangerous Type). The sanitization logic has a **Time-of-Check to Time-of-Use (TOCTOU)** race condition, failing to block dangerous extensions effectively.

📦 **Affected**: **FreeScout** (PHP/Laravel Help Desk). Versions **1.8.206 and earlier**. Vendor: `freescout-help-desk`.

💀 **Attacker Capabilities**: Authenticated users with **file upload permissions** can upload `.htaccess` files. This leads to **RCE**, granting full control over the server environment.

⚠️ **Threshold**: **Low**. CVSS indicates **No Privileges Required** for network access, but the description notes 'authenticated users'.…

🔍 **Public Exploit**: **No PoC** currently listed in the data. However, the vulnerability type (TOCTOU + Upload) is well-understood. Wild exploitation risk increases as details become public.

🔎 **Self-Check**: Scan for **FreeScout** instances. Check if version is **≤ 1.8.206**. Verify if file upload features are enabled and if `.htaccess` files can be uploaded via the web interface.

✅ **Fixed**: **Yes**. Patch available via GitHub Advisory **GHSA-5gpc-65p8-ffwp** and commit **f7bc16c56a6b13c06da52ad51fd666546b40818f**. Update immediately.

🛑 **No Patch Workaround**: **Disable file uploads** entirely if not needed. Implement strict **WAF rules** to block `.htaccess` uploads. Restrict upload permissions to trusted admins only.

🔥 **Urgency**: **CRITICAL**. CVSS Score is **High** (likely 9.0+ based on vector). RCE via upload is a high-impact vector. **Patch immediately** upon availability.