Medium severity4.8NVD Advisory· Published Apr 20, 2026· Updated Apr 27, 2026

CVE-2026-23753

Description

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create() without HTML sanitization and subsequently rendered unsanitized by View_Language.RenderGrid(). An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, and the payload executes in the browser of any administrator viewing the Languages page.

Affected products

Gfi/Helpdesk
cpe:2.3:a:gfi:helpdesk:*:*:*:*:*:*:*:*
Range: <4.99.9

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.vulncheck.com/advisories/gfi-helpdesk-stored-xss-via-charset-parameternvdThird Party Advisory
gfi.ai/products-and-solutions/email-and-messaging-solutions/helpdesk/resources/product-releasesnvdRelease Notes

News mentions

No linked articles in our index yet.

cvss	0.312
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000