Description
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can inject malicious scripts through the companyname field that execute in the browsers of any administrator viewing the Templates > Groups page.
Published: 2026-04-20
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Stored XSS allowing arbitrary JavaScript execution for administrators
Action: Patch
AI Analysis

Impact

The vulnerability in GFI HelpDesk before version 4.99.9 allows an authenticated administrator to inject arbitrary JavaScript via the companyname POST parameter in the template group create and edit pages. The injected script runs in the browsers of any administrator who views the Templates & Groups page, creating a stored cross‑site scripting condition (CWE‑79).

Affected Systems

GFI Software HelpDesk prior to version 4.99.9, specifically the template group creation and editing functionality accessed by administrators via the Templates & Groups page.

Risk and Exploitability

The CVSS score of 4.8 reflects a moderate risk; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. Because the flaw requires authentication as an administrator, a local attacker with admin credentials can exploit it, or a remote attacker who compromises an admin account, but it cannot be triggered by unauthenticated users. The attack vector is therefore limited to authenticated users with administrative privileges.

Generated by OpenCVE AI on April 20, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official vendor update to version 4.99.9 or later, which removes the unsanitized input handling for the companyname field.
  • If updating immediately is not possible, restrict or audit the companyname input field and enforce role‑based access to the Templates & Groups page to limit exposure.
  • Configure a content security policy or apply server‑side sanitization to neutralize script input for the companyname parameter.

Generated by OpenCVE AI on April 20, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can inject malicious scripts through the companyname field that execute in the browsers of any administrator viewing the Templates > Groups page.
Title GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-20T18:09:59.603Z

Reserved: 2026-01-15T18:42:20.938Z

Link: CVE-2026-23752

cve-icon Vulnrichment

Updated: 2026-04-20T18:09:56.021Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T18:16:23.947

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-23752

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses