CVE-2026-23757 MEDIUM

CVE-2026-23757: GFI HelpDesk < 4.99.10 Stored XSS via Reports Module

Vendor Gfi Software

Product HelpDesk

Weakness CWE-79 · XSS

Published April 20, 2026

Last update April 20, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

GFI HelpDesk before 4.99.10 contains a stored cross-site scripting vulnerability in the Reports module where the title parameter is passed directly to SWIFT_Report::Create() without HTML sanitization. Attackers can inject arbitrary JavaScript into the report title field when creating or editing a report, and the payload executes when staff members view and click the affected report link in the Manage Reports interface.

Key dates

02Disclosure timeline

April 20, 2026 CVE published

April 20, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-23757 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

CVE-2026-23757: GFI HelpDesk < 4.99.10 Stored XSS via Reports Module

01Description

02Disclosure timeline

03References

04Related CVE