CVE-2026-23616

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4

Description GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting issue in the Anti-Spoofing configuration page. An authenticated user can inject HTML or JavaScript into the ctl00$ContentPlaceHolder1$AntiSpoofingGeneral1$TxtSmtpDesc parameter of the '/MailEssentials/pages/MailSecurity/AntiSpoofing.aspx' API endpoint. This input is stored and subsequently displayed within the management interface, enabling script execution within the context of a logged-in user.

Recommendations Update GFI MailEssentials AI to version 22.4 or later.