Mail2Shell – CVE-2026-28289: New Zero-Click RCE On FreeScout - OX Security
www.ox.security
OX Research found a filename validation bypass that escalates a prior patched authenticated RCE into Zero‑Click Unauthenticated RCE (CVE-2026-28289), patched in FreeScout v1.8.207. TL;DR Urgent Security Alert: Just days after an authenticated RCE vulnerability in FreeScout was disclosed, researchers at OX Research identified a bypass that escalates the issue into a Zero‑Click Unauthenticated RCE. The vulnerability, now tracked as CVE‑2026‑28289,…