CVE-2026-40229 | THREATINT

Description

Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML notification emails sent to other users.This issue affects helpy: 2.8.0.

PUBLISHED Reserved 2026-04-10 | Published 2026-04-29 | Updated 2026-04-29 | Assigner Fluid Attacks

MEDIUM: 5.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

2.8.0

affected

Credits

Oscar Uribe finder

Fluid Attacks' AI SAST Scanner finder

References

fluidattacks.com/es/advisories/offspring third-party-advisory

github.com/helpyio/helpy product

cve.org (CVE-2026-40229)

nvd.nist.gov (CVE-2026-40229)

Download JSON