Medium severity5.4NVD Advisory· Published Apr 29, 2026· Updated May 1, 2026

CVE-2026-40229

Description

Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML notification emails sent to other users.This issue affects helpy: 2.8.0.

Affected products

Helpy.io/Helpy
cpe:2.3:a:helpy.io:helpy:2.8.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

fluidattacks.com/es/advisories/offspringnvdExploitThird Party Advisory

News mentions

No linked articles in our index yet.

Severity

MediumCVSS v3.1

5.4/ 10

CVSS v45.1

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack vector: Network
Complexity: Low
Privileges: Low
User interaction: Required
Scope: Changed
Confidentiality: Low
Integrity: Low
Availability: None

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

Probability of exploitation in the next 30 days.

0.03%

VYPR risk score

Composite of severity, exploitation, and reach.

0.35medium

cvss	0.351
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000

Weaknesses

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVE ID

CVE-2026-40229

Source code

github.com/helpyio/helpy

Credits

FA
Fluid Attacks' AI SAST Scanner
finder
OU
Oscar Uribe
finder