Stored Cross-Site Scripting Vulnerability in GFI HelpDesk Software
CVE-2026-23758

6.4MEDIUM

Key Information:

Vendor: Gfi Software
Status: Helpdesk
Vendor: CVE Published:; 20 April 2026

🔔 Create Gfi Software Vulnerability Alert

What is CVE-2026-23758?

The GFI HelpDesk software prior to version 4.99.9 is susceptible to a stored cross-site scripting vulnerability within the ticket subject field. This flaw allows authenticated staff members to manipulate the editsubject POST parameter, injecting malicious JavaScript code. The inadequate sanitization in the ticket management process, specifically in the Controller_Ticket.EditSubmit() function, permits attackers to bypass the incomplete sanitization methods. Consequently, when affected tickets are viewed by other staff or administrators, the injected JavaScript can execute, leading to potentially harmful outcomes for users.

Affected Version(s)

HelpDesk 0 < 4.99.9

References

https://gfi.ai/products-and-solutions/email-and-messaging...

vendor-advisorypatch

https://www.vulncheck.com/advisories/gfi-helpdesk-stored-...

third-party-advisory

CVSS V4

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Jan 15, 2026

Credit

Alex Williams from Pellera Technologies

VulnCheck

CVE-2026-23758 Data

JSON