CVE-2026-23758

Name of the Vulnerable Software and Affected Versions GFI HelpDesk versions prior to 4.99.9

Description A stored cross-site scripting issue exists in the ticket subject field. Authenticated staff members can inject malicious JavaScript by manipulating the 'editsubject' POST parameter. This occurs due to inadequate sanitization in the Controller Ticket.EditSubmit() function, which bypasses the incomplete SanitizeForXSS() method, allowing arbitrary JavaScript execution when other staff members or administrators view the affected ticket.

Recommendations Update to version 4.99.9 or later. As a temporary workaround, restrict access to the Controller Ticket.EditSubmit() function or the 'editsubject' parameter to minimize the risk of exploitation.