Stored Cross-Site Scripting Vulnerability in Helpy by Helpy Io
CVE-2026-40230

4.8MEDIUM

Key Information:

Vendor: Helpyio
Status: Helpy
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-40230?

A stored cross-site scripting (XSS) vulnerability exists within Helpy's knowledge base Doc rendering logic. This flaw allows an authenticated user with admin or agent editor privileges to embed arbitrary HTML or JavaScript in the body field of knowledge base documents. As a result, an attacker could exploit this issue to execute malicious scripts, potentially leading to unauthorized access to sensitive information or manipulation of the application’s behavior.

Affected Version(s)

helpy Windows 2.8.0

References

https://fluidattacks.com/es/advisories/prisioneros

third-party-advisory

https://github.com/helpyio/helpy

product

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 10, 2026

Credit

Oscar Uribe

Fluid Attacks' AI SAST Scanner

CVE-2026-40230 Data

JSON