CVE-2026-23605 is a stored cross-site scripting (XSS) vulnerability identified in GFI Software's MailEssentials AI product, specifically in versions prior to 22.4. The flaw exists in the Attachment Filtering rule creation workflow, where the input parameter ctl00$ContentPlaceHolder1$pv1$TXB_RuleName is not properly sanitized or neutralized before being stored and subsequently rendered in the web management interface. An authenticated user can inject arbitrary HTML or JavaScript code into this parameter, which is then stored persistently on the server. When the management interface renders this stored data, the malicious script executes in the context of the logged-in user’s browser session. This can lead to unauthorized actions such as session hijacking, credential theft, or execution of administrative commands if the victim has elevated privileges. The vulnerability requires the attacker to have valid authentication credentials and involves some user interaction, such as accessing the affected page. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction is needed. The impact on confidentiality and integrity is low to medium, with no direct impact on availability. No public exploits have been reported yet, but the vulnerability poses a risk to organizations relying on MailEssentials AI for email security management. The lack of a patch link suggests that a fix may be forthcoming or that users should upgrade to version 22.4 or later to remediate the issue.

The primary impact of this vulnerability is the potential compromise of administrative or user sessions within the MailEssentials AI management interface. Successful exploitation can allow attackers to execute arbitrary scripts, leading to session hijacking, theft of sensitive information, or unauthorized changes to email security configurations. This could undermine the integrity of email filtering rules, potentially allowing malicious emails to bypass security controls. While the vulnerability does not directly affect system availability, the compromise of administrative accounts could lead to broader security breaches within the organization’s email infrastructure. Organizations worldwide using affected versions of MailEssentials AI are at risk, particularly those with large deployments or high-value targets. The requirement for authentication limits exploitation to insiders or compromised accounts, but the risk remains significant in environments with weak credential management or phishing susceptibility.

To mitigate this vulnerability, organizations should upgrade GFI MailEssentials AI to version 22.4 or later, where the issue is resolved. If immediate patching is not possible, administrators should restrict access to the management interface to trusted personnel only and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Input validation and output encoding should be implemented or verified in the Attachment Filtering rule creation workflow to prevent injection of malicious scripts. Additionally, monitoring and logging of administrative actions can help detect suspicious behavior indicative of exploitation attempts. Regular security training for administrators to recognize phishing and social engineering attacks can reduce the risk of credential theft. Network segmentation and limiting management interface exposure to internal networks or VPNs can further reduce attack surface.