CVE-2026-23758
Stored XSS in GFI HelpDesk Ticket Subject Allows Code Execution
Publication date: 2026-04-20
Last updated on: 2026-04-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gfi | helpdesk | to 4.99.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability impact me? :
This vulnerability allows authenticated staff members to inject and execute malicious JavaScript code within the GFI HelpDesk application.
When other staff or administrators view the compromised ticket, the injected script runs, potentially leading to unauthorized actions within the application context.
Although it does not directly affect confidentiality, integrity, or availability, the script injection can be used to perform actions such as session hijacking, defacement, or other malicious activities that compromise security.
Can you explain this vulnerability to me?
CVE-2026-23758 is a stored cross-site scripting (XSS) vulnerability in GFI HelpDesk versions before 4.99.9. It occurs because the ticket subject field does not properly sanitize input, specifically through the editsubject POST parameter.
Authenticated staff members can inject malicious JavaScript code by exploiting the incomplete sanitization in the Controller_Ticket.EditSubmit() function. This malicious script then executes when other staff or administrators view the affected ticket.
The vulnerability is due to an incomplete SanitizeForXSS() method that can be bypassed, allowing arbitrary JavaScript execution.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the ticket subject field for stored cross-site scripting (XSS) via the editsubject POST parameter. An authenticated staff member can attempt to inject a benign JavaScript payload into the ticket subject and then verify if the script executes when the ticket is viewed by other staff or administrators.
A practical approach is to use tools like curl or Burp Suite to send a POST request with a test XSS payload in the editsubject parameter to the Controller_Ticket.EditSubmit() endpoint and then check if the payload is stored and executed.
- Example curl command to test injection:
- curl -X POST -d "editsubject=<script>alert('XSS')</script>" -b cookies.txt https://your-gfi-helpdesk-url/Controller_Ticket.EditSubmit
- After injection, log in as another staff member and view the ticket subject to see if the alert executes.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade GFI HelpDesk to version 4.99.9 or later, where this stored XSS vulnerability has been addressed.
Until the upgrade can be applied, restrict authenticated staff members' ability to edit ticket subjects or sanitize inputs more thoroughly at the application or web server level to prevent script injection.
Additionally, educate staff to avoid clicking on suspicious ticket subjects and monitor logs for unusual POST requests to the editsubject parameter.