CVE-2026-23752

Name of the Vulnerable Software and Affected Versions GFI HelpDesk versions prior to 4.99.9

Description A stored cross-site scripting issue exists in the template group creation and editing functionality. Authenticated administrators can inject arbitrary JavaScript by manipulating the companyname POST parameter, which lacks proper HTML sanitization. Malicious scripts injected through the companyname field execute in the browsers of any administrator who views the 'Templates > Groups' page.

Recommendations Update to version 4.99.9 or later.