CVE-2026-23758 - Vulnerability Details

- GFI HelpDesk < 4.99.9 Stored XSS via editsubject Parameter

Description

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in Controller_Ticket.EditSubmit() that bypass the incomplete SanitizeForXSS() method to execute arbitrary JavaScript when other staff members or administrators view the affected ticket.

Published: 2026-04-20

Score: 6.4 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability resides in GFI HelpDesk versions prior to 4.99.9, where the editsubject POST parameter is processed by Controller_Ticket.EditSubmit() with insufficient sanitization. This flaw permits authenticated staff members to embed JavaScript into the ticket subject field, which is later rendered when other staff or administrators view the ticket, enabling arbitrary script execution. The primary impact is client‑side code execution, potentially leading to credential theft, defacement, or further lateral movement within the intranet, depending on the attacker’s access level.

Affected Systems

Affected systems include all installations of GFI Software HelpDesk with a release earlier than 4.99.9. No specific build numbers beyond the major version are listed, so any deployment with a lower release should be scrutinized.

Risk and Exploitability

The CVSS score of 6.4 indicates medium severity. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploitation reports yet. The likely attack path requires user authentication and permission to edit tickets, meaning the threat is confined to staff accounts. However, once the malicious payload is embedded, any staff member viewing the ticket will trigger execution of the injected JavaScript.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

GFI Software

HelpDesk

unaffected

Version	Status	Constraints
`0`	affected	< 4.99.9

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade GFI HelpDesk to version 4.99.9 or later
If an upgrade cannot be performed immediately, limit staff permissions to editing ticket subjects or disable the editsubject function until remediation is possible
Deploy a web‑application firewall or content‑filtering rule to block or sanitize script tags before rendering ticket content

Generated by OpenCVE AI on April 20, 2026 at 20:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://gfi.ai/products-and-solutions/email-and-messaging-solutions/helpdesk/resources/product-releases
https://www.vulncheck.com/advisories/gfi-helpdesk-stored-xss-via-editsubject-parameter

History

Mon, 20 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 20 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`	cvssV4_0 `{'score': 6.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H'}`

Mon, 20 Apr 2026 17:45:00 +0000

Type	Values Removed	Values Added
Description		GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in Controller_Ticket.EditSubmit() that bypass the incomplete SanitizeForXSS() method to execute arbitrary JavaScript when other staff members or administrators view the affected ticket.
Title		GFI HelpDesk < 4.99.9 Stored XSS via editsubject Parameter
Weaknesses		CWE-79
References		https://gfi.ai/products-and-solutions/email-and-messaging-solutions/helpdesk/resources/product-releases https://www.vulncheck.com/advisories/gfi-helpdesk-stored-xss-via-editsubject-parameter
Metrics		cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2026-04-20T17:30:06.853Z

Updated: 2026-04-20T17:45:55.788Z

Reserved: 2026-01-15T18:42:20.938Z

Link: CVE-2026-23758

Vulnrichment

Updated: 2026-04-20T17:45:52.114Z

NVD

Status : Awaiting Analysis

Published: 2026-04-20T18:16:24.643

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-23758

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact High

Subsequent System Integrity Impact High

Subsequent System Availability Impact High

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object