CVE-2026-23753
Stored XSS in GFI HelpDesk Language Management Allows Admin Hijack
Publication date: 2026-04-20
Last updated on: 2026-04-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gfi | helpdesk | to 4.99.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23753 is a stored cross-site scripting (XSS) vulnerability in GFI HelpDesk versions before 4.99.9. It occurs in the language management functionality where the charset POST parameter is passed directly to the function SWIFT_Language::Create() without any HTML sanitization.
Because the input is not sanitized, an authenticated administrator can inject arbitrary JavaScript code through the charset field when creating or editing a language. This malicious script is then stored and executed in the browsers of any administrators who view the Languages page.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized actions or data exposure within the GFI HelpDesk application. Since the injected JavaScript executes in the browsers of administrators viewing the Languages page, it could be used to perform actions on behalf of those administrators or steal sensitive information accessible to them.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of unsanitized JavaScript code injected into the charset POST parameter within the language management functionality of GFI HelpDesk versions prior to 4.99.9.
Since the vulnerability requires an authenticated administrator to inject the payload, detection involves reviewing POST requests to the language creation or editing endpoints for suspicious charset parameter values containing JavaScript code.
Network or system administrators can monitor HTTP POST requests to the language management pages and look for unusual or suspicious payloads in the charset parameter.
- Use web proxy tools (e.g., Burp Suite, OWASP ZAP) to intercept and inspect POST requests to the language management functionality, focusing on the charset parameter.
- Run a command-line search on server logs for POST requests containing the charset parameter with suspicious script tags, for example:
- grep -i "charset=.*<script" /path/to/webserver/logs/access.log
- Use curl or similar tools to simulate POST requests with test payloads in the charset parameter to verify if the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade GFI HelpDesk to version 4.99.9 or later where the issue has been fixed.
If upgrading is not immediately possible, restrict access to the language management functionality to trusted administrators only and monitor for suspicious activity.
Ensure that administrators are aware of the risk and avoid interacting with untrusted or suspicious language entries.
Implement web application firewall (WAF) rules to detect and block POST requests containing suspicious JavaScript code in the charset parameter.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how CVE-2026-23753 impacts compliance with common standards and regulations such as GDPR or HIPAA.