CVE-2026-23607

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4

Description The software contains a stored cross-site scripting issue in the Anti-Spam Whitelist management interface. A user with valid credentials can inject HTML or JavaScript code into the ctl00$ContentPlaceHolder1$pv1$txtDescription parameter of the '/MailEssentials/pages/MailSecurity/Whitelist.aspx' API endpoint. This injected code is then saved and displayed within the management interface, leading to script execution within the context of the logged-in user.

Recommendations Update GFI MailEssentials AI to version 22.4 or later.