VYPR
Medium severity5.4NVD Advisory· Published Apr 20, 2026· Updated Apr 27, 2026

CVE-2026-23758

CVE-2026-23758

Description

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in Controller_Ticket.EditSubmit() that bypass the incomplete SanitizeForXSS() method to execute arbitrary JavaScript when other staff members or administrators view the affected ticket.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

1
  • cpe:2.3:a:gfi:helpdesk:*:*:*:*:*:*:*:*
    Range: <4.99.9

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.