CVE-2026-40229
MEDIUMHelpy 2.8.0 - Stored XSS in post author display via PostsHelper
Title source: cnaDescription
Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML notification emails sent to other users.This issue affects helpy: 2.8.0.
References (2)
Core 2
Core References
Third Party Advisory third-party-advisory
https://fluidattacks.com/es/advisories/offspring
Product product
https://github.com/helpyio/helpy
Scores
CVSS v3
5.4
EPSS
0.0018
EPSS Percentile
7.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
helpy.io/helpy
2.8.0
helpyio/helpy
2.8.0
Published
Apr 29, 2026
Tracked Since
Apr 29, 2026