Stored Cross-Site Scripting in GFI HelpDesk by GFI Software
CVE-2026-23757

5.1MEDIUM

Key Information:

Vendor: Gfi Software
Status: Helpdesk
Vendor: CVE Published:; 20 April 2026

🔔 Create Gfi Software Vulnerability Alert

What is CVE-2026-23757?

GFI HelpDesk prior to version 4.99.10 is susceptible to a stored cross-site scripting (XSS) vulnerability in the Reports module. This flaw arises from improper handling of the title parameter during report creation or editing. Without adequate HTML sanitization, attackers can exploit this vulnerability by injecting malicious JavaScript into the report title. When an unsuspecting staff member views or clicks on the compromised report link within the Manage Reports interface, the injected script executes, potentially compromising sensitive information or creating backdoor access.

Affected Version(s)

HelpDesk 0 < 4.99.10

References

https://gfi.ai/products-and-solutions/email-and-messaging...

vendor-advisorypatch

https://www.vulncheck.com/advisories/gfi-helpdesk-stored-...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Jan 15, 2026

Credit

Alex Williams from Pellera Technologies

VulnCheck

CVE-2026-23757 Data

JSON