Home / Vulnerability Intelligence / CVE-2026-40229

CVE-2026-40229 - Vulnerability Analysis

MediumCVSS: 5.4

Last Updated: May 1, 2026

Helpy - Stored XSS

Published: April 29, 2026Updated: May 1, 2026PoC AvailableRemote Exploitable

Overview

Helpy 2.8.0 contains a stored XSS caused by unescaped rendering of arbitrary HTML in the post author display logic, letting registered users execute scripts in public forum threads, admin views, and notification emails.

Severity & Score

Severity: Medium

CVSS Score: 5.4

Impact

Registered users can execute persistent scripts affecting other users and admins, potentially leading to session hijacking or phishing.

Mitigation

Update to the latest version where this issue is fixed.

References

https://fluidattacks.com/es/advisories/offspring
https://github.com/helpyio/helpy

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40229
Severity: Medium
CVSS Score: 5.4
Type: stored_xss
Status: confirmed

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N