Stored Cross-Site Scripting in GFI HelpDesk Language Management
CVE-2026-23753

4.8MEDIUM

Key Information:

Vendor: Gfi Software
Status: Helpdesk
Vendor: CVE Published:; 20 April 2026

🔔 Create Gfi Software Vulnerability Alert

What is CVE-2026-23753?

GFI HelpDesk prior to version 4.99.9 contains a vulnerability in its language management functionality, allowing an authenticated administrator to execute arbitrary JavaScript in the browser of any administrator who views the Languages page. This occurs due to the charset POST parameter being passed directly to the SWIFT_Language::Create() method without proper HTML sanitization, resulting in unsanitized content being rendered by View_Language.RenderGrid(). Exploitation of this vulnerability can lead to various attacks including session hijacking and data manipulation.

Affected Version(s)

HelpDesk 0 < 4.99.9

References

https://gfi.ai/products-and-solutions/email-and-messaging...

vendor-advisorypatch

https://www.vulncheck.com/advisories/gfi-helpdesk-stored-...

third-party-advisory

CVSS V4

Score:

4.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Jan 15, 2026

Credit

Alex Williams from Pellera Technologies

VulnCheck

CVE-2026-23753 Data

JSON