CVE-2026-23610 is a stored cross-site scripting (XSS) vulnerability identified in GFI Software's MailEssentials AI product, specifically affecting versions prior to 22.4. The vulnerability resides in the POP2Exchange configuration endpoint, which accepts a JSON payload at the URL /MailEssentials/pages/MailSecurity/POP2Exchange.aspx/Save. Within this payload, the "popServers" array includes a POP3 server login field that improperly neutralizes input, allowing an authenticated user to inject arbitrary HTML or JavaScript code. This malicious input is stored persistently and later rendered within the management interface of MailEssentials AI without adequate sanitization or encoding. As a result, when a legitimate administrator or user accesses the management console, the injected script executes in their browser context. This can lead to session hijacking, unauthorized actions, or privilege escalation within the application. The vulnerability requires the attacker to have authenticated access to the management interface, but no additional user interaction is necessary once the payload is stored. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction is required (the logged-in user viewing the interface). The impact on confidentiality and integrity is limited but non-negligible, as the attacker can execute scripts in the context of other users. No public exploits or active exploitation have been reported to date. The vulnerability highlights insufficient input validation and output encoding in the web application components of MailEssentials AI. It is recommended to apply patches or upgrade to version 22.4 or later when available, and to restrict management interface access to trusted administrators only.

The primary impact of CVE-2026-23610 is the potential for attackers with authenticated access to execute arbitrary scripts within the MailEssentials AI management interface. This can lead to session hijacking, theft of administrative credentials, unauthorized configuration changes, or pivoting to other parts of the network. While exploitation requires authentication, the stored nature of the XSS means that any administrator accessing the affected interface could be compromised, increasing the risk of lateral movement and persistent access. Organizations relying on MailEssentials AI for email security may face risks to the integrity and confidentiality of their email filtering and security configurations. This could degrade their overall security posture and potentially allow malicious emails to bypass filters or cause denial of service through misconfiguration. The medium CVSS score reflects moderate risk, but the actual impact depends on the organization's user access controls and monitoring. Since no known exploits are in the wild, the threat is currently theoretical but should be addressed proactively to prevent future abuse.

To mitigate CVE-2026-23610, organizations should upgrade GFI MailEssentials AI to version 22.4 or later once the patch is released, as this version addresses the input validation and output encoding flaws. Until a patch is available, restrict access to the MailEssentials AI management interface to trusted administrators only, ideally via network segmentation and VPNs. Implement strict authentication controls, including strong passwords and multi-factor authentication, to reduce the risk of unauthorized access. Monitor logs for unusual activity related to the POP2Exchange configuration endpoint and review configuration changes regularly. Educate administrators about the risks of stored XSS and advise caution when interacting with configuration interfaces. Additionally, consider deploying web application firewalls (WAFs) that can detect and block malicious payloads targeting the management interface. Finally, conduct regular security assessments and penetration tests to identify and remediate similar vulnerabilities proactively.