CVE-2026-23752 PUBLISHED

GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter

Assigner: VulnCheck
Reserved: 15.01.2026 Published: 20.04.2026 Updated: 20.04.2026

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can inject malicious scripts through the companyname field that execute in the browsers of any administrator viewing the Templates > Groups page.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
CVSS Score: 4.8

Product Status

Vendor GFI Software
Product HelpDesk
Versions Default: unaffected
  • affected from 0 to 4.99.9 (excl.)

Credits

  • Alex Williams from Pellera Technologies finder
  • VulnCheck coordinator

References

Problem Types

  • CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE