CVE-2026-23619

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4

Description GFI MailEssentials AI versions before 22.4 have a stored cross-site scripting issue in the Local Domains settings page. A logged-in user can inject HTML or JavaScript code into the ctl00$ContentPlaceHolder1$Pv3$txtDescription parameter of the ''/MailEssentials/pages/MailSecurity/general.aspx'' endpoint. This injected code is then saved and displayed within the management interface, enabling script execution within the user's session.

Recommendations Update GFI MailEssentials AI to version 22.4 or later.