Description
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and EditSubmit() before being rendered by View_Step.RenderViewSteps(). An authenticated staff member can inject arbitrary JavaScript into the step subject field, and the payload executes when any user navigates to Troubleshooter > View Troubleshooter and clicks the affected step link.
Published: 2026-04-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Stored cross‑site scripting via the Troubleshooter step subject field
Action: Patch Immediately
AI Analysis

Impact

GFI HelpDesk versions prior to 4.99.9 have a stored XSS flaw within the Troubleshooter module. The subject parameter is accepted, stored, and rendered without sanitization. An attacker who can authenticate as a staff member can inject JavaScript into the subject; the code runs in the browser of any user who later views the step, enabling malicious scripts to execute on legitimate user sessions.

Affected Systems

The vulnerability affects the GFI Software HelpDesk product, specifically versions before 4.99.9.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. An authenticated staff member can exploit the flaw, and any user who views the affected step in the Troubleshooter interface becomes a victim of the injected script. The attack requires legitimate staff credentials but offers widespread impact on any user accessing the module.

Generated by OpenCVE AI on April 20, 2026 at 18:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to GFI HelpDesk version 4.99.9 or later to contain the sanitization fix.
  • Limit staff accounts to the minimum permissions required for troubleshooting, avoiding unrestricted access to the Troubleshooter step subject field.
  • Enable a content security policy (CSP) on the HelpDesk web interface to reduce the impact of any residual XSS payloads.

Generated by OpenCVE AI on April 20, 2026 at 18:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and EditSubmit() before being rendered by View_Step.RenderViewSteps(). An authenticated staff member can inject arbitrary JavaScript into the step subject field, and the payload executes when any user navigates to Troubleshooter > View Troubleshooter and clicks the affected step link.
Title GFI HelpDesk < 4.99.9 Stored XSS via Troubleshooter Step Subject
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-20T18:08:49.925Z

Reserved: 2026-01-15T18:42:20.938Z

Link: CVE-2026-23756

cve-icon Vulnrichment

Updated: 2026-04-20T18:08:45.854Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T18:16:24.297

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-23756

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T18:45:14Z

Weaknesses