CVE-2026-40229

MEDIUM

Helpy 2.8.0 - Stored XSS in post author display via PostsHelper

Title source: cna

Description

Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML notification emails sent to other users.This issue affects helpy: 2.8.0.

References (2)

[Third Party Advisory] https://fluidattacks.com/es/advisories/offspring

[Product] https://github.com/helpyio/helpy

Scores

CVSS v4 5.1

EPSS 0.0003

EPSS Percentile 8.1%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

helpyio/helpy 2.8.0

Published Apr 29, 2026

Tracked Since Apr 29, 2026