Stored Cross-Site Scripting Vulnerability in GFI HelpDesk by GFI Software
CVE-2026-23752

4.8MEDIUM

Key Information:

Vendor: Gfi Software
Status: Helpdesk
Vendor: CVE Published:; 20 April 2026

🔔 Create Gfi Software Vulnerability Alert

What is CVE-2026-23752?

GFI HelpDesk prior to version 4.99.9 is susceptible to a stored cross-site scripting (XSS) vulnerability that arises from improper handling of the companyname parameter during the creation and editing of template groups. Authenticated administrators can exploit this flaw by injecting arbitrary JavaScript code. When an affected template is viewed, the malicious script executes in the web browser of any administrator, creating a significant security risk. This vulnerability underscores the importance of input sanitization to prevent such attacks.

Affected Version(s)

HelpDesk 0 < 4.99.9

References

https://gfi.ai/products-and-solutions/email-and-messaging...

vendor-advisorypatch

https://www.vulncheck.com/advisories/gfi-helpdesk-stored-...

third-party-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Jan 15, 2026

Credit

Alex Williams from Pellera Technologies

VulnCheck

CVE-2026-23752 Data

JSON