Description
Helpy contains a stored cross-site scripting vulnerability in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or JavaScript in the body field of a knowledge base Doc.This issue affects helpy: 2.8.0.
Published: 2026-04-29
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Helpy 2.8.0 includes a stored cross‑site scripting vulnerability in the rendering logic of the knowledge base Doc body. An authenticated attacker who possesses admin or agent editor roles can persist arbitrary HTML or JavaScript within a Doc’s body field. The injected payload is then served to any user who views that Doc, enabling the attacker to steal session cookies, deface the site, or conduct other client‑side attacks.

Affected Systems

The affected product is Helpy by helpyio, specifically version 2.8.0. The vulnerability is present across all supported operating systems (Linux, macOS, Windows) as indicated by the corresponding CPE entries.

Risk and Exploitability

The vulnerability has a CVSS score of 4.8, placing it in the moderate severity range. EPSS data is not available and the issue is not listed in the CISA KEV catalog. Because the attack requires authenticated privileges, exploitation is limited to users who already have admin or agent editor rights; nonetheless, once compromised, the attacker can affect any user who views the injected Doc.

Generated by OpenCVE AI on April 29, 2026 at 21:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Helpy to a version that contains the fix for CVE-2026-40230.
  • Configure the application to strip or escape HTML and JavaScript content in the knowledge base Doc body field, thereby mitigating CWE‑79 vulnerabilities.
  • Restrict the number of users with admin or agent editor privileges and monitor Doc content for suspicious script tags to detect potential abuse.

Generated by OpenCVE AI on April 29, 2026 at 21:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 12:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:helpy.io:helpy:2.8.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 30 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Helpy.io
Helpy.io helpy
Vendors & Products Helpy.io
Helpy.io helpy

Wed, 29 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 29 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Description Helpy contains a stored cross-site scripting vulnerability in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or JavaScript in the body field of a knowledge base Doc.This issue affects helpy: 2.8.0.
Title Helpy 2.8.0 - Stored XSS in knowledgebase Doc body rendering
First Time appeared Helpyio
Helpyio helpy
Weaknesses CWE-79
CPEs cpe:2.3:a:helpyio:helpy:2.8.0:*:linux:*:*:*:*:*
cpe:2.3:a:helpyio:helpy:2.8.0:*:macos:*:*:*:*:*
cpe:2.3:a:helpyio:helpy:2.8.0:*:windows:*:*:*:*:*
Vendors & Products Helpyio
Helpyio helpy
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Helpy.io Helpy
Helpyio Helpy
cve-icon MITRE

Status: PUBLISHED

Assigner: Fluid Attacks

Published:

Updated: 2026-04-29T16:20:34.028Z

Reserved: 2026-04-10T16:07:49.031Z

Link: CVE-2026-40230

cve-icon Vulnrichment

Updated: 2026-04-29T16:20:30.646Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-29T16:16:24.350

Modified: 2026-05-01T12:26:33.710

Link: CVE-2026-40230

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:15:31Z

Weaknesses