Stored Cross-Site Scripting Vulnerability in GFI HelpDesk Software
CVE-2026-23756

5.1MEDIUM

Key Information:

Vendor: Gfi Software
Status: Helpdesk
Vendor: CVE Published:; 20 April 2026

🔔 Create Gfi Software Vulnerability Alert

What is CVE-2026-23756?

GFI HelpDesk versions prior to 4.99.9 are impacted by a stored cross-site scripting vulnerability in the Troubleshooter module. The issue arises when the subject POST parameter is not properly sanitized in functions Controller_Step.InsertSubmit() and EditSubmit(), leading to an opportunity for authenticated staff members to inject arbitrary JavaScript. The malicious payload executes when users visit the Troubleshooter > View Troubleshooter interface and click on the link associated with the affected step, potentially compromising user sessions and exposing sensitive information.

Affected Version(s)

HelpDesk 0 < 4.99.9

References

https://gfi.ai/products-and-solutions/email-and-messaging...

vendor-advisorypatch

https://www.vulncheck.com/advisories/gfi-helpdesk-stored-...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Jan 15, 2026

Credit

Alex Williams from Pellera Technologies

VulnCheck

CVE-2026-23756 Data

JSON