Is there a patch available for CVE-2026-23758?

Yes, a patch is available for CVE-2026-23758. Update the affected software to the latest version immediately.

Helpdesk CVE-2026-23758

Q: What is the CVSS score of CVE-2026-23758?

CVE-2026-23758 has a CVSS 4.0 base score of 6.4 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-23910 MEDIUM

Cross-site Scripting (XSS) (CWE-79)

2026-04-20 VulnCheck

GHSA-rf6c-2qc7-c945

XSS Helpdesk

6.4

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

6.4 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Scope

Lifecycle Timeline

Analysis Generated

Apr 20, 2026 - 18:28 vuln.today

CVSS changed

Apr 20, 2026 - 18:22 NVD

5.1 (MEDIUM) 6.4 (MEDIUM)

EUVD ID Assigned

Apr 20, 2026 - 18:00 euvd

EUVD-2026-23910

Analysis Generated

Apr 20, 2026 - 18:00 vuln.today

Patch released

Apr 20, 2026 - 18:00 nvd

Patch available

CVE Published

Apr 20, 2026 - 17:30 nvd

MEDIUM 6.4

DescriptionCVE.org

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in Controller_Ticket.EditSubmit() that bypass the incomplete SanitizeForXSS() method to execute arbitrary JavaScript when other staff members or administrators view the affected ticket.

AnalysisAI

GFI HelpDesk before version 4.99.9 allows authenticated staff members to inject persistent JavaScript into ticket subject fields via inadequate sanitization in the editsubject POST parameter, enabling arbitrary script execution when other staff or administrators view affected tickets. The vulnerability impacts confidentiality and integrity within the application's scope, with exploitation confirmed possible but requiring valid staff credentials and user interaction (viewing the malicious ticket). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Compromise or obtain staff credentials

Delivery

Access helpdesk and create ticket

Exploit

Edit ticket subject with XSS payload

Install

Bypass SanitizeForXSS() method

Inject malicious JavaScript

Execute

Target staff/admin views ticket

Impact

Script executes in victim's browser

Step 8

Steal session or escalate privileges