CVE-2026-23605

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4

Description GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting issue in the Attachment Filtering rule creation workflow. An authenticated user can provide HTML or JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB RuleName parameter to the '/MailEssentials/pages/MailSecurity/attachmentchecking.aspx' API endpoint. This input is stored and subsequently displayed in the management interface, enabling script execution within the context of a logged-in user.

Recommendations Update GFI MailEssentials AI to version 22.4 or later.