Helpy 2.8.0 contains a stored cross‑site scripting flaw in the post author display logic. A registered user can enter arbitrary HTML into their account name field, which the application renders without escaping. When the user participates in public forum threads, the admin ticket view, or receives HTML notification emails, the malicious code is executed in the browsers of the viewers, potentially leading to credential theft, session hijacking, or defacement. This issue is a classic example of the CWE‑79 weakness, compromising confidentiality, integrity, and availability of the platform’s content. It does not provide direct code execution on the server side, but it can be leveraged for phishing across the Helpy ecosystem.

Helpy 2.8.0 running on Linux, macOS, or Windows is vulnerable. The flaw exists in the core post author rendering component. All instances of Helpy 2.8.0, regardless of host operating system, are affected. Administrators should verify the installed version and upgrade whenever possible.

The CVSS score for this vulnerability is 5.1, indicating moderate severity. EPSS data is currently unavailable, and the flaw is not listed in CISA’s KEV catalog; therefore, there is no known active exploitation at the time of this analysis. The most likely attack path relies on a malicious user creating a crafted account name with embedded JavaScript, which is then stored and subsequently displayed in multiple contexts. Because the payload is rendered in emails and on the website, any user who views a forum thread or receives a notification email on a vulnerable Helpy instance is at risk.