CVE-2026-23756

Name of the Vulnerable Software and Affected Versions GFI HelpDesk versions prior to 4.99.9

Description A stored cross-site scripting issue exists in the Troubleshooter module. An authenticated staff member can inject arbitrary JavaScript into the step subject field because the POST parameter 'subject' is not sanitized in the functions Controller Step.InsertSubmit() and EditSubmit() before being rendered by View Step.RenderViewSteps(). The payload executes when a user navigates to Troubleshooter > View Troubleshooter and clicks the affected step link.

Recommendations Update to version 4.99.9 or later. As a temporary workaround, restrict access to the Troubleshooter module for staff members who do not require it.