CVE-2026-23753 MEDIUM

CVE-2026-23753: GFI HelpDesk < 4.99.9 Stored XSS via charset Parameter

Vendor Gfi Software

Product HelpDesk

Weakness CWE-79 · XSS

Published April 20, 2026

Last update April 21, 2026

View on NVD All CVEs

CVSS base score

4.8/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create() without HTML sanitization and subsequently rendered unsanitized by View_Language.RenderGrid(). An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, and the payload executes in the browser of any administrator viewing the Languages page.

Key dates

02Disclosure timeline

April 20, 2026 CVE published

April 21, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-23753

Related vulnerabilities

CVE-2026-23753: GFI HelpDesk < 4.99.9 Stored XSS via charset Parameter

01Description

02Disclosure timeline

03References

04Related CVE