CVE-2026-23758

UNKNOWN 0.0

GFI HelpDesk < 4.99.9 Stored XSS via editsubject Parameter

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in Controller_Ticket.EditSubmit() that bypass the incomplete SanitizeForXSS() method to execute arbitrary JavaScript when other staff members or administrators view the affected ticket.

CWE	CWE-79
Vendor	gfi software
Product	helpdesk
Published	Apr 20, 2026
Last Updated	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for gfi software helpdesk

Be the first to know when new unknown vulnerabilities affecting gfi software helpdesk are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

GFI Software / HelpDesk

0 < 4.99.9

References

NVD ↗ CVE.org ↗ EPSS Data ↗

gfi.ai: https://gfi.ai/products-and-solutions/email-and-messaging-solutions/helpdesk/resources/product-releases vulncheck.com: https://www.vulncheck.com/advisories/gfi-helpdesk-stored-xss-via-editsubject-parameter

Credits

Alex Williams from Pellera Technologies VulnCheck