Primary

Context

Helpy Stored Cross-Site Scripting Vulnerability in Author Display Logic

Vulnerability

A stored cross-site scripting vulnerability has been identified in Helpy version 2.8.0. This issue allows registered users to inject arbitrary HTML into their account name field, which is then rendered unescaped in public forum threads, the admin ticket view, and HTML notification emails sent to other users. The vulnerability arises in the PostsHelper, where user names are interpolated into translation strings without proper sanitization, enabling the execution of injected scripts or HTML when the content is viewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected HTML or scripts are executed in the context of the user viewing the affected content.

Reproduction

To reproduce this vulnerability, register a user account in Helpy 2.8.0 and include a JSFuck-encoded JavaScript payload, such as an alert command, in the name field. After registration, the payload will be executed when the injected HTML is rendered in public forum threads or admin views.

Added: Apr 29, 2026, 4:32 PM

Updated: Apr 29, 2026, 4:32 PM

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.4

exploitability

6.5

remediation

0.0

relevance

7.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.2

impact

0.4

exploitability

6.5

remediation

0.0

relevance

7.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Helpy Stored Cross-Site Scripting Vulnerability in Author Display Logic

Vulnerability

Impact

Reproduction

Affected Products

helpy

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating