CVE-2026-23753

Name of the Vulnerable Software and Affected Versions GFI HelpDesk versions prior to 4.99.9

Description A stored cross-site scripting issue exists in the language management functionality. The 'charset' POST parameter is passed directly to the SWIFT Language::Create() function without HTML sanitization and is later rendered unsanitized by View Language.RenderGrid(). This allows an authenticated administrator to inject arbitrary JavaScript through the charset field when creating or editing a language, which then executes in the browser of any administrator viewing the Languages page.

Recommendations Update to version 4.99.9 or later.