CVE-2026-23756

216.73.217.22

· Published 20/04/2026 18:16 · Modified 20/04/2026 19:05

Labels: CVE-2026-23756 2026-04-20 CVE-2026-23756 CWE-79 [email protected]

Essential information

Published: 20/04/2026 18:16
Modified: 20/04/2026 19:05
Author: —
Creator: —
CVSS: 5.1 MEDIUM (v3) 5.1 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the Troubleshooter module where the subject POST parameter is not sanitized in Controller_Step.InsertSubmit() and EditSubmit() before being rendered by View_Step.RenderViewSteps(). An authenticated staff member can inject arbitrary JavaScript into the step subject field, and the payload executes when any user navigates to Troubleshooter > View Troubleshooter and clicks the affected step link.

NVD status

Status: Undergoing Analysis — CVE has been marked for Analysis. Normally once in this state the CVE will be analyzed by NVD staff within 24 hours.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
gfi / helpdesk	`cpe:2.3:a:gfi:helpdesk:<4.99.9:::::::*`