File Path Validation Vulnerability in FreeScout Help Desk Software
CVE-2026-41193

9.1CRITICAL

Key Information:

Vendor

Freescout-help-desk

Status
Freescout
Vendor
CVE Published:
21 April 2026

What is CVE-2026-41193?

FreeScout, a self-hosted help desk software, has a significant vulnerability in its module installation feature where ZIP archive files are extracted without proper file path validation. This flaw allows an authenticated administrator to exploit the system by uploading specially crafted ZIP files, which can lead to arbitrary file writes on the server’s filesystem. The issue has been addressed in version 1.8.215, emphasizing the importance of updating to secure systems against potential exploitations.

Affected Version(s)

freescout < 1.8.215

References

https://github.com/freescout-help-desk/freescout/security...
x_refsource_CONFIRM
https://github.com/freescout-help-desk/freescout/commit/1...
x_refsource_MISC
https://github.com/freescout-help-desk/freescout/releases...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.