Description
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create() without HTML sanitization and subsequently rendered unsanitized by View_Language.RenderGrid(). An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, and the payload executes in the browser of any administrator viewing the Languages page.
Published: 2026-04-20
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: Stored cross-site scripting that executes JavaScript in the browsers of any administrator viewing the Languages page
Action: Immediate Patch
AI Analysis

Impact

GFI HelpDesk versions prior to 4.99.9 contain a stored XSS flaw in the language management module; the charset POST parameter is passed untrusted to SWIFT_Language::Create() and later rendered unsanitized by View_Language.RenderGrid(). An attacker who can log in as an administrator can insert arbitrary JavaScript into the charset field of any language entry. When another administrator opens the Languages page, the injected script runs in that admin's browser, allowing the attacker to capture session cookies, forge requests, or perform actions on behalf of the administrator without further exploitation.

Affected Systems

The affected systems are installations of GFI Software HelpDesk with a version less than 4.99.9. No other products or specific version ranges are listed in the CNA data.

Risk and Exploitability

The attack requires authenticated administrator access, so it is not a public‑facing flaw but it can be leveraged by an insider or a compromised admin account. The CVSS score of 4.8 places it in the medium severity range; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. An attacker who has gained admin credentials can exploit the stored XSS during routine use of the Languages page, potentially leading to privilege escalation, credential theft, or unauthorized actions within the HelpDesk application.

Generated by OpenCVE AI on April 20, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GFI HelpDesk to version 4.99.9 or later to remove the stored XSS flaw.
  • Limit administrator accounts to trusted personnel only and enforce least‑privilege policies.
  • If an upgrade cannot be performed immediately, consider disabling the language management feature or placing the admin interface behind a strict access‑control firewall to restrict who can perform the vulnerable action.

Generated by OpenCVE AI on April 20, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create() without HTML sanitization and subsequently rendered unsanitized by View_Language.RenderGrid(). An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, and the payload executes in the browser of any administrator viewing the Languages page.
Title GFI HelpDesk < 4.99.9 Stored XSS via charset Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-20T17:33:59.134Z

Reserved: 2026-01-15T18:42:20.938Z

Link: CVE-2026-23753

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T18:16:24.137

Modified: 2026-04-20T19:05:30.750

Link: CVE-2026-23753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T20:45:16Z

Weaknesses