XSS in Gfi Software Helpdesk

CVE-2026-23758

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the ticket subject field that allows authenticated staff members to inject malicious JavaScript by manipulating the editsubject POST parameter. Attackers ca…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (10.3th percentile) — read the EPSS interpretation.

Affected products

Gfi Software Helpdesk — versions 0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

gfi.ai/products-and-solutions/email-and-messaging-solutions/helpdesk/resources/… (vendor-advisory, patch)
www.vulncheck.com/advisories/gfi-helpdesk-stored-xss-via-editsubject-parameter (third-party-advisory)