FreeScout vulnerability enables unauthenticated, zero-click RCE via email (CVE-2026-28289) - Help Net Security

A critical vulnerability (CVE-2026-28289) in the open-source help desk platform FreeScout allows unauthenticated, zero-click Remote Code Execution (RCE) via a specially crafted email. This vulnerability bypasses previous security patches by exploiting a Zero-Width Space character to upload malicious .htaccess files, potentially leading to system takeover and data exfiltration.