Platform
php
Component
freescout
Fixed in
1.8.216
CVE-2026-41193 describes a Remote Code Execution (RCE) vulnerability discovered in FreeScout, a free self-hosted help desk and shared mailbox system. This flaw allows an authenticated administrator to write files anywhere on the server's filesystem by exploiting the module installation feature's lack of ZIP archive path validation. The vulnerability impacts versions 1.0.0 through 1.8.214, and a patch is available in version 1.8.215.
The impact of this vulnerability is severe. An attacker, posing as an authenticated administrator, can leverage a specially crafted ZIP archive to execute arbitrary code on the server hosting FreeScout. This could lead to complete system compromise, including data exfiltration, malware installation, and denial of service. The attacker's ability to write files anywhere grants them significant control over the server environment, potentially allowing them to escalate privileges or pivot to other systems on the network. This vulnerability shares similarities with other file upload vulnerabilities where insufficient validation allows for arbitrary file writes, potentially leading to RCE.
CVE-2026-41193 was publicly disclosed on 2026-04-21. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests that a PoC is likely to emerge. The CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-41193 is to immediately upgrade FreeScout to version 1.8.215 or later. If upgrading is not immediately feasible, consider restricting administrator access to the module installation feature. Implement strict file access controls on the server to limit the impact of a potential file write. While a WAF might offer some protection, it's unlikely to be effective against a crafted ZIP archive. Monitor FreeScout logs for suspicious activity, particularly related to module installations. After upgrading, verify the fix by attempting to upload a test ZIP archive with a known malicious path; the upload should be rejected.
Update FreeScout to version 1.8.215 or later to mitigate the vulnerability. This version corrects the issue by validating file paths when extracting ZIP files, preventing arbitrary file writing to the filesystem.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-41193 is a critical Remote Code Execution vulnerability in FreeScout versions 1.0.0 through 1.8.214, allowing authenticated admins to execute arbitrary code via a malicious ZIP file.
You are affected if you are running FreeScout versions 1.0.0 through 1.8.214. Upgrade to version 1.8.215 or later to resolve the vulnerability.
Upgrade FreeScout to version 1.8.215 or later. If immediate upgrade is not possible, restrict admin access to the module installation feature and implement strict file access controls.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a high likelihood of future exploitation.
Refer to the FreeScout security advisory for detailed information and updates: [https://freescout.com/security/](https://freescout.com/security/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.