Stored Cross-Site Scripting Vulnerability in Helpy by Helpy.io
CVE-2026-40229

5.1MEDIUM

Key Information:

Vendor: Helpyio
Status: Helpy
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-40229?

Helpy has a stored cross-site scripting vulnerability in its post author display logic. Any registered user can input malicious HTML into their account name field, leading to rendering of the unescaped code in various public forum threads, in the administrative ticket view, and within HTML notification emails sent to other users. This exploitation could allow attackers to execute arbitrary scripts in the context of other users' sessions, potentially compromising user data and enabling further attacks.

Affected Version(s)

helpy Windows 2.8.0

References

https://fluidattacks.com/es/advisories/offspring

third-party-advisory

https://github.com/helpyio/helpy

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 10, 2026

Credit

Oscar Uribe

Fluid Attacks' AI SAST Scanner

CVE-2026-40229 Data

JSON