CVE-2026-40229 MEDIUM

CVE-2026-40229: Helpy 2.8.0 - Stored XSS in post author display via PostsHelper

Vendor Helpyio

Product helpy

Weakness CWE-79 · XSS

Published April 29, 2026

Last update April 29, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML notification emails sent to other users.This issue affects helpy: 2.8.0.

Key dates

02Disclosure timeline

April 29, 2026 CVE published

April 29, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-40229 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-27002 WordPress CountDown With Image or Video Background plugin <= 1.5 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-63082 Joomla! Core - [20260101] - Inadequate content filtering for data URLs CVE-2025-68878 WordPress Advanced Custom CSS plugin <= 1.1.0 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2024-30437 WordPress Webinar and Video Conference with Jitsi Meet plugin <= 2.6.3 - Cross Site Scripting (XSS) vulnerability CVE-2024-7655 Community by PeepSo – Social Network, Membership, Registration, User Profiles <= 6.4.5.0 - Authenticated (Administrator+) Stored Cross-Site Scripting