CVE-2026-23610 is a stored cross-site scripting vulnerability classified under CWE-79 affecting GFI Software's MailEssentials AI product versions prior to 22.4. The vulnerability resides in the POP2Exchange configuration endpoint, specifically in the handling of the POP3 server login field within the JSON "popServers" payload submitted to the /MailEssentials/pages/MailSecurity/POP2Exchange.aspx/Save endpoint. An authenticated user can inject arbitrary HTML or JavaScript code into this field, which is then stored persistently on the server. When an administrator or other privileged user accesses the management interface, the malicious script is rendered and executed in their browser context. This allows the attacker to perform actions such as stealing session cookies, executing arbitrary commands in the context of the logged-in user, or manipulating the management interface to escalate privileges or disrupt operations. The vulnerability requires the attacker to have valid credentials (authenticated user) but does not require additional user interaction beyond the victim viewing the affected page. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), user interaction required (UI:P), and low impact on confidentiality and integrity but limited impact on availability. No public exploits are currently known, but the vulnerability poses a risk due to the sensitive nature of the management interface and the potential for lateral movement or privilege escalation within an organization's email security infrastructure.

The impact of CVE-2026-23610 is primarily on the confidentiality and integrity of the management interface of GFI MailEssentials AI. Successful exploitation can lead to session hijacking, theft of administrative credentials, unauthorized configuration changes, and potential disruption of email security operations. This can compromise the organization's email filtering and anti-spam defenses, potentially allowing malicious emails to bypass security controls. Additionally, attackers could leverage this foothold to move laterally within the network or escalate privileges. The vulnerability affects organizations worldwide that deploy GFI MailEssentials AI, especially those relying on its management interface for critical email security functions. Given the medium severity and requirement for authentication, the risk is moderate but significant in environments where multiple users have access to the management console or where credential compromise is easier. The absence of known exploits reduces immediate risk but does not eliminate the threat, as attackers may develop exploits in the future.

To mitigate CVE-2026-23610, organizations should upgrade GFI MailEssentials AI to version 22.4 or later where the vulnerability is fixed. If immediate patching is not possible, restrict access to the management interface to trusted networks and users only, using network segmentation and firewall rules. Implement strong authentication controls, including multi-factor authentication (MFA), to reduce the risk of credential compromise. Regularly audit user accounts and permissions to ensure only necessary users have access to the POP2Exchange configuration endpoint. Employ Content Security Policy (CSP) headers on the management interface to limit the impact of injected scripts. Monitor logs for unusual activity related to the POP2Exchange endpoint and suspicious user behavior. Educate administrators about the risks of XSS and encourage cautious handling of configuration inputs. Finally, consider deploying web application firewalls (WAFs) with rules to detect and block malicious payloads targeting this endpoint.