CVE-2026-23614

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4

Description The software contains a stored cross-site scripting issue in the Sender Policy Framework IP Exceptions interface. A logged-in user can inject HTML or JavaScript code into the ctl00$ContentPlaceHolder1$pv2$txtIPDescription parameter of the '/MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx' API endpoint. This input is then saved and displayed within the management interface, potentially leading to script execution within the user's session.

Recommendations Update GFI MailEssentials AI to version 22.4 or later.