CVE-2026-41193: FreeScout Path Traversal Vulnerability

CVE-2026-41193 Overview

CVE-2026-41193 is a critical path traversal vulnerability affecting FreeScout, a popular free self-hosted help desk and shared mailbox solution. Prior to version 1.8.215, FreeScout's module installation feature extracts ZIP archives without properly validating file paths. This flaw allows an authenticated administrator to write files arbitrarily to the server filesystem by uploading a specially crafted ZIP archive containing path traversal sequences.

Critical Impact
An authenticated administrator can achieve arbitrary file write on the server, potentially leading to full system compromise through remote code execution by overwriting critical application files or placing web shells in accessible locations.

Affected Products

FreeScout versions prior to 1.8.215
FreeScout self-hosted help desk installations with module installation feature enabled
Systems where authenticated administrators have access to the module upload functionality

Discovery Timeline

April 21, 2026 - CVE-2026-41193 published to NVD
April 22, 2026 - Last updated in NVD database

Technical Details for CVE-2026-41193

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Path Traversal), where the application fails to properly sanitize file paths extracted from ZIP archives during the module installation process. When an administrator uploads a ZIP file through FreeScout's module installation feature, the application extracts the archive contents without checking for directory traversal sequences such as ../ or ..\ within filenames.

The flaw exists in the Zipper component used by FreeScout, specifically in how it handles file extraction paths. Without proper validation, an attacker-controlled ZIP file can include entries with relative path components that escape the intended extraction directory, allowing files to be written anywhere on the filesystem where the web server has write permissions.

Root Cause

The root cause of this vulnerability lies in the absence of path validation logic in the ZIP extraction routine. The Zipper.php component processed filenames from ZIP archives directly without checking whether the resulting destination path remained within the expected extraction directory. This oversight allowed malicious ZIP entries containing ../ sequences to traverse the directory structure and write files to arbitrary locations.

Attack Vector

The attack requires network access and high privileges (administrator authentication). An attacker with administrative access to a FreeScout instance can:

Craft a malicious ZIP file containing entries with path traversal sequences (e.g., ../../../var/www/html/shell.php)
Upload the ZIP through the module installation feature
The vulnerable extraction routine writes files outside the intended module directory
Depending on the target path, this could overwrite configuration files, plant web shells, or modify application code

The security patch implemented validation at two levels to prevent this attack:

php

    {
        $tmpPath = str_replace($this->getInternalPath(), '', $fileName);
 
+        // Prevent Zip traversal attacks
+        if (strpos($fileName, '../') !== false || strpos($fileName, '..\\') !== false) {
+            \Log::error('[Zipper] Path traversal detected - special characters found within filename: '.$fileName);
+            throw new \RuntimeException('Zipper: Path traversal detected - special characters found within filename');
+        }
+        // Block path traversal attempts
+        $realBase = realpath($path);
+        $realDest = realpath(pathinfo($path . DIRECTORY_SEPARATOR . $tmpPath)['dirname'] ?? '');
+        if ($realDest === false || strpos($realDest, $realBase) !== 0) {
+            \Log::error('[Zipper] Path traversal detected - path: '.$path.'; fileName: '.$fileName.'; realBase: '.$realBase.'; tmpPath: '.$tmpPath.'; realDest: '.$realDest);
+            throw new \RuntimeException('Zipper: Path traversal detected');
+        }
+
        // We need to create the directory first in case it doesn't exist
        $dir = pathinfo($path.DIRECTORY_SEPARATOR.$tmpPath, PATHINFO_DIRNAME);
        if (!$this->file->exists($dir) && !$this->file->makeDirectory($dir, 0755, true, true)) {
-            throw new \RuntimeException('Failed to create folders');
+            throw new \RuntimeException('Zipper: Failed to create folders');
        }
 
        $toPath = $path.DIRECTORY_SEPARATOR.$tmpPath;

Source: GitHub Commit

Detection Methods for CVE-2026-41193

Indicators of Compromise

Unexpected files appearing outside the FreeScout modules directory after module installation attempts
Web shells or PHP files in web-accessible directories that were not legitimately installed
Modifications to FreeScout configuration files (config/app.php, .env) or core application files
Log entries showing ZIP extraction operations with unusual file paths containing ../ sequences

Detection Strategies

Monitor file system write operations in the FreeScout installation directory and parent directories during module uploads
Implement file integrity monitoring (FIM) on critical FreeScout files and system directories
Review web server access logs for requests to unexpected PHP files that may indicate deployed web shells
Audit FreeScout application logs for errors related to ZIP extraction or module installation failures

Monitoring Recommendations

Enable detailed logging for the FreeScout module installation process to capture file extraction events
Configure alerts for new file creation events outside expected module directories
Implement regular file system scans comparing against known-good baselines
Monitor administrator actions in FreeScout audit logs for suspicious module installation activity

How to Mitigate CVE-2026-41193

Immediate Actions Required

Upgrade FreeScout to version 1.8.215 or later immediately
Audit the file system for any unexpected files that may have been written outside module directories
Review administrator accounts and remove unnecessary administrative access
Check web-accessible directories for suspicious PHP files that could be web shells

Patch Information

FreeScout version 1.8.215 addresses this vulnerability by implementing path validation in the ZIP extraction process. The fix includes two layers of protection: first, it checks for the presence of ../ or ..\ sequences in filenames; second, it validates that the resolved destination path remains within the expected base directory using realpath() comparisons.

For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-r85m-5mc9-cc9w and the GitHub Release 1.8.215.

Workarounds

Restrict module installation capability to only essential trusted administrators until the patch is applied
Disable the module installation feature entirely if not required for operations
Implement network-level restrictions to limit access to the FreeScout admin panel
Deploy a web application firewall (WAF) to inspect uploaded files for path traversal patterns

bash

# Configuration example - Restrict access to FreeScout admin panel by IP (Apache)
<Directory /var/www/freescout/public>
    <Files "index.php">
        # Allow only trusted admin IPs
        Require ip 10.0.0.0/8 192.168.1.0/24
    </Files>
</Directory>

CVE-2026-41193 Overview

Critical Impact
An authenticated administrator can achieve arbitrary file write on the server, potentially leading to full system compromise through remote code execution by overwriting critical application files or placing web shells in accessible locations.

Affected Products

FreeScout versions prior to 1.8.215
FreeScout self-hosted help desk installations with module installation feature enabled
Systems where authenticated administrators have access to the module upload functionality

Discovery Timeline

April 21, 2026 - CVE-2026-41193 published to NVD
April 22, 2026 - Last updated in NVD database

Technical Details for CVE-2026-41193

Vulnerability Analysis

Root Cause

Attack Vector

The attack requires network access and high privileges (administrator authentication). An attacker with administrative access to a FreeScout instance can:

Craft a malicious ZIP file containing entries with path traversal sequences (e.g., ../../../var/www/html/shell.php)
Upload the ZIP through the module installation feature
The vulnerable extraction routine writes files outside the intended module directory
Depending on the target path, this could overwrite configuration files, plant web shells, or modify application code

The security patch implemented validation at two levels to prevent this attack:

php

    {
        $tmpPath = str_replace($this->getInternalPath(), '', $fileName);
 
+        // Prevent Zip traversal attacks
+        if (strpos($fileName, '../') !== false || strpos($fileName, '..\\') !== false) {
+            \Log::error('[Zipper] Path traversal detected - special characters found within filename: '.$fileName);
+            throw new \RuntimeException('Zipper: Path traversal detected - special characters found within filename');
+        }
+        // Block path traversal attempts
+        $realBase = realpath($path);
+        $realDest = realpath(pathinfo($path . DIRECTORY_SEPARATOR . $tmpPath)['dirname'] ?? '');
+        if ($realDest === false || strpos($realDest, $realBase) !== 0) {
+            \Log::error('[Zipper] Path traversal detected - path: '.$path.'; fileName: '.$fileName.'; realBase: '.$realBase.'; tmpPath: '.$tmpPath.'; realDest: '.$realDest);
+            throw new \RuntimeException('Zipper: Path traversal detected');
+        }
+
        // We need to create the directory first in case it doesn't exist
        $dir = pathinfo($path.DIRECTORY_SEPARATOR.$tmpPath, PATHINFO_DIRNAME);
        if (!$this->file->exists($dir) && !$this->file->makeDirectory($dir, 0755, true, true)) {
-            throw new \RuntimeException('Failed to create folders');
+            throw new \RuntimeException('Zipper: Failed to create folders');
        }
 
        $toPath = $path.DIRECTORY_SEPARATOR.$tmpPath;

Source: GitHub Commit

Detection Methods for CVE-2026-41193

Indicators of Compromise

Unexpected files appearing outside the FreeScout modules directory after module installation attempts
Web shells or PHP files in web-accessible directories that were not legitimately installed
Modifications to FreeScout configuration files (config/app.php, .env) or core application files
Log entries showing ZIP extraction operations with unusual file paths containing ../ sequences

Detection Strategies

Monitor file system write operations in the FreeScout installation directory and parent directories during module uploads
Implement file integrity monitoring (FIM) on critical FreeScout files and system directories
Review web server access logs for requests to unexpected PHP files that may indicate deployed web shells
Audit FreeScout application logs for errors related to ZIP extraction or module installation failures

Monitoring Recommendations

Enable detailed logging for the FreeScout module installation process to capture file extraction events
Configure alerts for new file creation events outside expected module directories
Implement regular file system scans comparing against known-good baselines
Monitor administrator actions in FreeScout audit logs for suspicious module installation activity

How to Mitigate CVE-2026-41193

Immediate Actions Required

Upgrade FreeScout to version 1.8.215 or later immediately
Audit the file system for any unexpected files that may have been written outside module directories
Review administrator accounts and remove unnecessary administrative access
Check web-accessible directories for suspicious PHP files that could be web shells

Patch Information

For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-r85m-5mc9-cc9w and the GitHub Release 1.8.215.

Workarounds

Restrict module installation capability to only essential trusted administrators until the patch is applied
Disable the module installation feature entirely if not required for operations
Implement network-level restrictions to limit access to the FreeScout admin panel
Deploy a web application firewall (WAF) to inspect uploaded files for path traversal patterns

bash

# Configuration example - Restrict access to FreeScout admin panel by IP (Apache)
<Directory /var/www/freescout/public>
    <Files "index.php">
        # Allow only trusted admin IPs
        Require ip 10.0.0.0/8 192.168.1.0/24
    </Files>
</Directory>

CVE-2026-41193: FreeScout Path Traversal Vulnerability

CVE-2026-41193 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-41193

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-41193

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-41193

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-41193: FreeScout Path Traversal Vulnerability

CVE-2026-41193 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-41193

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-41193

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-41193

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform