CVE-2026-23758
Received Received - Intake
Stored XSS in GFI HelpDesk Ticket Subject Allows Code Execution

Publication date: 2026-04-20

Last updated on: 2026-04-27

Assigner: VulnCheck

Description
GFI HelpDesk beforeΒ 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers can inject XSS payloads through inadequate sanitization in Controller_Ticket.EditSubmit() that bypass the incomplete SanitizeForXSS() method to execute arbitrary JavaScript when other staff members or administrators view the affected ticket.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-20
EPSS Evaluated
2026-06-15
NVD
CVE-2026-23758
EUVD
EUVD-2026-23910
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gfi helpdesk to 4.99.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

This vulnerability allows authenticated staff members to inject and execute malicious JavaScript code within the GFI HelpDesk application.

When other staff or administrators view the compromised ticket, the injected script runs, potentially leading to unauthorized actions within the application context.

Although it does not directly affect confidentiality, integrity, or availability, the script injection can be used to perform actions such as session hijacking, defacement, or other malicious activities that compromise security.

Executive Summary

CVE-2026-23758 is a stored cross-site scripting (XSS) vulnerability in GFI HelpDesk versions before 4.99.9. It occurs because the ticket subject field does not properly sanitize input, specifically through the editsubject POST parameter.

Authenticated staff members can inject malicious JavaScript code by exploiting the incomplete sanitization in the Controller_Ticket.EditSubmit() function. This malicious script then executes when other staff or administrators view the affected ticket.

The vulnerability is due to an incomplete SanitizeForXSS() method that can be bypassed, allowing arbitrary JavaScript execution.

Detection Guidance

This vulnerability can be detected by testing the ticket subject field for stored cross-site scripting (XSS) via the editsubject POST parameter. An authenticated staff member can attempt to inject a benign JavaScript payload into the ticket subject and then verify if the script executes when the ticket is viewed by other staff or administrators.

A practical approach is to use tools like curl or Burp Suite to send a POST request with a test XSS payload in the editsubject parameter to the Controller_Ticket.EditSubmit() endpoint and then check if the payload is stored and executed.

  • Example curl command to test injection:
  • curl -X POST -d "editsubject=<script>alert('XSS')</script>" -b cookies.txt https://your-gfi-helpdesk-url/Controller_Ticket.EditSubmit
  • After injection, log in as another staff member and view the ticket subject to see if the alert executes.
Mitigation Strategies

The immediate mitigation step is to upgrade GFI HelpDesk to version 4.99.9 or later, where this stored XSS vulnerability has been addressed.

Until the upgrade can be applied, restrict authenticated staff members' ability to edit ticket subjects or sanitize inputs more thoroughly at the application or web server level to prevent script injection.

Additionally, educate staff to avoid clicking on suspicious ticket subjects and monitor logs for unusual POST requests to the editsubject parameter.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-23758. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart