CVE-2026-23611 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting GFI Software's MailEssentials AI product versions prior to 22.4. The vulnerability resides in the IP Blocklist management page (/MailEssentials/pages/MailSecurity/ipblocklist.aspx), specifically in the ctl00$ContentPlaceHolder1$pv1$txtIPDescription parameter. An authenticated user with access to this interface can inject arbitrary HTML or JavaScript code into this parameter. Because the input is stored and later rendered without proper sanitization or encoding, the malicious script executes in the security context of other authenticated users who access the management page. This can lead to session hijacking, unauthorized actions, or disclosure of sensitive information within the management interface. The vulnerability requires the attacker to have legitimate credentials (low privilege) and some user interaction (viewing the affected page). The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) reflects network attack vector, low attack complexity, no authentication bypass, partial confidentiality and integrity impact, and limited scope. No public exploits are currently known, but the vulnerability poses a risk to organizations relying on MailEssentials AI for email security management. The absence of an official patch link suggests mitigation or patching guidance may be pending or forthcoming.

The primary impact of this vulnerability is the potential for attackers with authenticated access to execute arbitrary scripts within the management interface of MailEssentials AI. This can lead to session hijacking, enabling attackers to escalate privileges or perform unauthorized administrative actions. Confidentiality and integrity of the management console data may be compromised, potentially exposing sensitive email security configurations or user credentials. Although the vulnerability does not directly affect email processing, compromising the management interface could allow attackers to alter security policies or blocklists, weakening overall email security posture. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with multiple administrators or weak credential management. Organizations worldwide using GFI MailEssentials AI in their email security infrastructure may face operational disruptions, data breaches, or compliance issues if exploited.

Organizations should immediately verify their MailEssentials AI version and upgrade to version 22.4 or later once available to address this vulnerability. In the absence of an official patch, administrators should restrict access to the IP Blocklist management page to trusted personnel only and enforce strong authentication mechanisms, including multi-factor authentication. Input validation and output encoding should be implemented on the affected parameter to prevent injection of malicious scripts. Monitoring and logging of administrative interface access should be enhanced to detect suspicious activities. Additionally, consider isolating the management interface behind VPNs or internal networks to reduce exposure. Regular security training for administrators on phishing and credential hygiene can reduce the risk of credential compromise that could lead to exploitation. Finally, stay updated with vendor advisories for official patches or workarounds.