GFI HelpDesk CVE-2026-23758

| EUVD-2026-23910 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-20 VulnCheck GHSA-rf6c-2qc7-c945
XSS
6.4
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

2
Analysis Generated
Apr 20, 2026 - 18:28 vuln.today
CVSS changed
Apr 20, 2026 - 18:22 NVD
5.1 (MEDIUM) 6.4 (MEDIUM)

DescriptionNVD

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in Controller_Ticket.EditSubmit() that bypass the incomplete SanitizeForXSS() method to execute arbitrary JavaScript when other staff members or administrators view the affected ticket.

AnalysisAI

GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject persistent JavaScript into ticket subject fields via inadequate sanitization in the editsubject POST parameter, enabling arbitrary script execution when other staff or administrators view affected tickets. The vulnerability impacts confidentiality and integrity within the application's scope, with exploitation confirmed possible but requiring valid staff credentials and user interaction (viewing the malicious ticket). …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-23758 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy