FreeScout Vulnerability: Unrestricted File Write via ZIP Upload

The National Vulnerability Database has detailed CVE-2026-41193, a critical vulnerability affecting FreeScout instances prior to version 1.8.215. This flaw lies in the module installation feature, which fails to validate file paths when extracting ZIP archives. An authenticated administrator can exploit this by uploading a specially crafted ZIP file, leading to arbitrary file writes on the server filesystem. This is a classic path traversal vulnerability, made dangerous by the administrative privileges required to trigger it.

This vulnerability, rated with a CVSS score of 9.1, presents a significant risk for organizations using self-hosted FreeScout. Successful exploitation allows an attacker with admin access to overwrite critical system files, potentially leading to complete server compromise, data exfiltration, or denial of service. The ease with which an attacker could weaponize a ZIP archive for arbitrary file write makes this a high-priority remediation target.

Defenders must ensure their FreeScout installations are updated to version 1.8.215 or later. For those unable to patch immediately, restricting administrative access and closely monitoring file upload activities associated with module installation is crucial. Given the potential for full system compromise, a thorough audit of the server filesystem for any unexpected file modifications should be considered post-patching.