CVE-2026-23615

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4

Description GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting issue in the Sender Policy Framework Email Exceptions interface. An authenticated user can inject HTML or JavaScript code into the ctl00$ContentPlaceHolder1$pv4$txtEmailDescription parameter of the /MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx API endpoint. This injected code is then stored and displayed within the management interface, enabling script execution within the context of a logged-in user.

Recommendations Versions prior to 22.4 should be updated.