Description
GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create() without HTML sanitization and subsequently rendered unsanitized by View_Language.RenderGrid(). An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, and the payload executes in the browser of any administrator viewing the Languages page.
Published: 2026-04-20
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross-site scripting that executes JavaScript in the browsers of any administrator viewing the Languages page
Action: Immediate Patch
AI Analysis

Impact

GFI HelpDesk versions prior to 4.99.9 contain a stored XSS flaw in the language management module; the charset POST parameter is passed untrusted to SWIFT_Language::Create() and later rendered unsanitized by View_Language.RenderGrid(). An attacker who can log in as an administrator can insert arbitrary JavaScript into the charset field of any language entry. When another administrator opens the Languages page, the injected script runs in that admin's browser, allowing the attacker to capture session cookies, forge requests, or perform actions on behalf of the administrator without further exploitation.

Affected Systems

The affected systems are installations of GFI Software HelpDesk with a version less than 4.99.9. No other products or specific version ranges are listed in the CNA data.

Risk and Exploitability

The attack requires authenticated administrator access, so it is not a public‑facing flaw but it can be leveraged by an insider or a compromised admin account. The CVSS score of 4.8 places it in the medium severity range; the EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. An attacker who has gained admin credentials can exploit the stored XSS during routine use of the Languages page, potentially leading to privilege escalation, credential theft, or unauthorized actions within the HelpDesk application.

Generated by OpenCVE AI on April 20, 2026 at 20:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GFI HelpDesk to version 4.99.9 or later to remove the stored XSS flaw.
  • Limit administrator accounts to trusted personnel only and enforce least‑privilege policies.
  • If an upgrade cannot be performed immediately, consider disabling the language management feature or placing the admin interface behind a strict access‑control firewall to restrict who can perform the vulnerable action.

Generated by OpenCVE AI on April 20, 2026 at 20:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:gfi:helpdesk:*:*:*:*:*:*:*:*

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Gfi
Gfi helpdesk
Vendors & Products Gfi
Gfi helpdesk

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create() without HTML sanitization and subsequently rendered unsanitized by View_Language.RenderGrid(). An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, and the payload executes in the browser of any administrator viewing the Languages page.
Title GFI HelpDesk < 4.99.9 Stored XSS via charset Parameter
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gfi Helpdesk
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-21T13:31:13.580Z

Reserved: 2026-01-15T18:42:20.938Z

Link: CVE-2026-23753

cve-icon Vulnrichment

Updated: 2026-04-21T13:31:08.448Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T18:16:24.137

Modified: 2026-04-27T15:07:29.780

Link: CVE-2026-23753

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:47:24Z

Weaknesses