CVE-2026-23610

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4

Description GFI MailEssentials AI versions before 22.4 have a stored cross-site scripting issue in the POP2Exchange configuration. A logged-in user can inject HTML or JavaScript into the POP3 server login field within the JSON popServers payload sent to the /MailEssentials/pages/MailSecurity/POP2Exchange.aspx/Save API endpoint. This injected code is then saved and displayed in the management interface, leading to script execution within the user's session.

Recommendations Update GFI MailEssentials AI to version 22.4 or later.