cvedb.io
CVE-2026-23752
MEDIUM · CVSS 4.8
EPSS exploitation probability: 0%
Published 2026-04-20T18:16:23.947 · Last modified 2026-06-17T10:22:03.090

Summary

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the template group creation and editing functionality that allows authenticated administrators to inject arbitrary JavaScript by manipulating the companyname POST parameter without HTML sanitization. Attackers can inject malicious scripts through the companyname field that execute in the browsers of any administrator viewing the Templates > Groups page.

Affected products

gfi — helpdesk

Does this affect you?

Add your gear to cvedb and we'll alert you only when gfi ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.