CVE-2026-23604 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting GFI Software's MailEssentials AI product versions prior to 22.4. The vulnerability exists in the Keyword Filtering rule creation workflow, specifically in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter of the /MailEssentials/pages/MailSecurity/contentchecking.aspx page. An authenticated user can inject arbitrary HTML or JavaScript code into this parameter, which is then stored persistently and rendered later within the management interface. When a legitimate administrator or user accesses the affected interface, the malicious script executes in their browser context, potentially allowing session hijacking, credential theft, or unauthorized actions within the application. The attack requires the attacker to have authenticated access to the MailEssentials AI management console and some level of user interaction to trigger the payload. The vulnerability does not require elevated privileges beyond authentication, but the impact is limited to users with access to the management interface. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction required, with limited confidentiality and integrity impact. No public exploits or active exploitation have been reported to date. The vulnerability highlights insufficient input sanitization and output encoding in the web application’s rule creation workflow, a common issue in web applications that handle user-generated content. Remediation involves patching to a fixed version or implementing strict input validation and output encoding to neutralize malicious scripts.

The primary impact of this vulnerability is on the confidentiality and integrity of the MailEssentials AI management environment. Successful exploitation could allow an authenticated attacker to execute arbitrary scripts in the context of other logged-in administrators or users, potentially leading to session hijacking, theft of sensitive configuration data, or unauthorized changes to email filtering rules. This could degrade the effectiveness of email security controls, allowing phishing, malware, or spam to bypass defenses. While availability impact is minimal, the compromise of administrative interfaces can have cascading effects on organizational security posture. Organizations relying on GFI MailEssentials AI for email security may face increased risk of targeted attacks against their email infrastructure. The requirement for authentication and user interaction limits the scope to insider threats or compromised credentials but does not eliminate risk. The vulnerability could be leveraged in multi-stage attacks to escalate privileges or move laterally within networks. Given the widespread use of email security products in enterprises worldwide, the impact could be significant if exploited at scale.

Organizations should immediately verify their MailEssentials AI version and upgrade to version 22.4 or later where the vulnerability is fixed. If patching is not immediately feasible, implement strict input validation on the RuleName parameter to reject or sanitize HTML and JavaScript content. Employ output encoding techniques to ensure any user-supplied input is safely rendered without executing scripts. Restrict access to the management interface to trusted administrators only, using network segmentation and strong authentication mechanisms such as multi-factor authentication (MFA). Monitor logs for unusual activity related to rule creation or modification. Conduct regular security awareness training to reduce the risk of credential compromise. Consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the vulnerable parameter. Finally, review and harden overall email security policies and incident response plans to quickly detect and respond to potential exploitation attempts.