CVE-2026-23757

Name of the Vulnerable Software and Affected Versions GFI HelpDesk versions prior to 4.99.10

Description A stored cross-site scripting issue exists in the Reports module. The title parameter is passed directly to the SWIFT Report::Create() function without HTML sanitization. This allows attackers to inject arbitrary JavaScript into the report title field during the creation or editing of a report. The injected payload executes when staff members view and click the affected report link within the Manage Reports interface.

Recommendations Update to version 4.99.10 or later. As a temporary workaround, restrict access to the Reports module or avoid using the title parameter in the affected interface until the update is applied.