# Critical Vulnerability Information ## Vulnerability Overview The file upload restriction list in FreeScout does not include `.htaccess` and `.user.ini` files. On Apache servers configured with `AllowOverride All`, authenticated users can upload `.htaccess` files to redefine file handling, leading to Remote Code Execution (RCE). ## Related Information - **Vulnerability Type**: Remote Code Execution (RCE) - **CVSS Score**: 8.8/10 - **CVE ID**: CVE-2026-27636 - **CVE Weakness**: CWE-434 ## Scope of Impact - **Affected Versions**: ` ``` Example access URL: ```bash curl "https://target.com/storage/app/attachment/1/shell.txt?cmd=id" ``` ## Result File upload successful, return value: ```json {"status":"success"} ``` ## Critical Vulnerability Combination When combined with the TokenAuth bypass vulnerability (GHSA-6gcm-v8xf-j9v9), unauthenticated attackers can first gain administrative privileges and subsequently achieve RCE.