CVE-2026-23756
Stored XSS in GFI HelpDesk Troubleshooter Allows Script Injection
Publication date: 2026-04-20
Last updated on: 2026-04-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gfi | helpdesk | to 4.99.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23756 is a stored cross-site scripting (XSS) vulnerability in GFI HelpDesk versions before 4.99.9. It occurs in the Troubleshooter module where the "subject" POST parameter is not properly sanitized in the Controller_Step.InsertSubmit() and EditSubmit() functions. This allows an authenticated staff member to inject arbitrary JavaScript code into the step subject field.
When any user navigates to Troubleshooter > View Troubleshooter and clicks the affected step link, the injected malicious script executes, potentially compromising the user's session or data.
How can this vulnerability impact me? :
This vulnerability allows an authenticated staff member to inject malicious JavaScript code that executes in the context of other users who view the affected Troubleshooter step. This can lead to session hijacking, unauthorized actions performed on behalf of users, or exposure of sensitive information.
The impact is limited by the requirement that the attacker must have authenticated staff privileges and that the victim must click the compromised link, but it still poses a risk to the confidentiality and integrity of user interactions within the application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored cross-site scripting in the Troubleshooter module of GFI HelpDesk before version 4.99.9, specifically through the "subject" POST parameter in Controller_Step.InsertSubmit() and EditSubmit(). Detection would involve identifying if any malicious JavaScript code has been injected into the step subject field.
Since the vulnerability requires authenticated staff access and the injection occurs via POST requests, monitoring HTTP POST requests to the Troubleshooter module for suspicious or unexpected JavaScript payloads in the "subject" parameter can help detect exploitation attempts.
Commands or methods to detect this might include:
- Using web server logs or a proxy tool (e.g., Burp Suite) to inspect POST requests to the Troubleshooter module for suspicious script tags or JavaScript code in the "subject" parameter.
- Searching the database or application data storage for step subject fields containing suspicious JavaScript code or HTML tags.
- Using grep or similar tools on logs or exported data, for example: grep -i '<script' /path/to/logs/* or grep -i 'javascript:' /path/to/database_dump.sql
What immediate steps should I take to mitigate this vulnerability?
To mitigate this stored cross-site scripting vulnerability in GFI HelpDesk before version 4.99.9, immediate steps include:
- Upgrade GFI HelpDesk to version 4.99.9 or later where the vulnerability is fixed.
- Restrict authenticated staff access to the Troubleshooter module to trusted users only.
- Implement input validation and sanitization on the "subject" POST parameter to prevent injection of arbitrary JavaScript code.
- Educate staff users about the risks of injecting scripts and monitor for suspicious activity.
- As a temporary workaround, consider disabling or restricting access to the Troubleshooter module until a patch or upgrade is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the stored cross-site scripting vulnerability in GFI HelpDesk affects compliance with common standards and regulations such as GDPR or HIPAA.