Is there a patch available for CVE-2026-23756?

Yes, a patch is available for CVE-2026-23756. Update the affected software to the latest version immediately.

Helpdesk CVE-2026-23756

Q: What is the CVSS score of CVE-2026-23756?

CVE-2026-23756 has a CVSS 4.0 base score of 5.1 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23908 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-20 VulnCheck

XSS Helpdesk

5.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

5.1 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 20, 2026 - 18:28 vuln.today

CVSS changed

Apr 20, 2026 - 18:22 NVD

5.4 (MEDIUM) 5.1 (MEDIUM)

EUVD ID Assigned

Apr 20, 2026 - 18:00 euvd

EUVD-2026-23908

Analysis Generated

Apr 20, 2026 - 18:00 vuln.today

Patch released

Apr 20, 2026 - 18:00 nvd

Patch available

CVE Published

Apr 20, 2026 - 17:30 nvd

MEDIUM 5.1

DescriptionCVE.org

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and EditSubmit() before being rendered by View_Step.RenderViewSteps(). An authenticated staff member can inject arbitrary JavaScript into the step subject field, and the payload executes when any user navigates to Troubleshooter > View Troubleshooter and clicks the affected step link.

AnalysisAI

Stored cross-site scripting in GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject arbitrary JavaScript via the Troubleshooter step subject field, with execution occurring when any user views the affected step. The vulnerability stems from unsanitized POST parameter handling in Controller_Step.InsertSubmit() and EditSubmit() methods, enabling persistent payload storage and broad user impact within the application.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain staff credentials (phishing or insider)

Delivery

Access Troubleshooter module

Exploit

Inject malicious JavaScript in step subject field

Install

Submit POST to InsertSubmit/EditSubmit

Payload stored server-side

Execute

Victim navigates to View Troubleshooter

Impact

Victim clicks affected step link

Step 8

JavaScript executes in victim browser

Step 9

Steal session token or trigger privileged action