CVE-2026-23612 is a stored cross-site scripting (XSS) vulnerability identified in GFI Software's MailEssentials AI product, specifically affecting versions prior to 22.4. The flaw exists in the IP DNS Blocklist configuration page, where the application fails to properly sanitize or neutralize user-supplied input in the ctl00$ContentPlaceHolder1$pv1$TXB_IPs parameter. An authenticated user with access to this page can inject arbitrary HTML or JavaScript code, which is then stored persistently and rendered later in the management interface. When other authenticated administrators or users access this interface, the malicious script executes in their browser context, potentially allowing attackers to hijack sessions, steal credentials, perform unauthorized actions, or pivot further into the network. The vulnerability requires authentication but no elevated privileges, and user interaction is necessary to trigger the payload. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction required, with low impact on confidentiality and integrity but limited impact on availability. No public exploits have been reported to date, but the vulnerability poses a significant risk in environments where multiple administrators access the MailEssentials AI management console. The lack of a patch link suggests that remediation may require updating to version 22.4 or later once available or applying configuration workarounds to restrict access or input validation.

The primary impact of CVE-2026-23612 is the potential compromise of administrative accounts managing GFI MailEssentials AI, which is an email security product widely used in enterprise environments. Successful exploitation could allow attackers to execute arbitrary scripts in the context of other authenticated users, leading to session hijacking, theft of sensitive credentials, or unauthorized changes to email security configurations. This could degrade the overall security posture of the affected organization by enabling phishing, malware delivery, or bypassing email filtering controls. The vulnerability's requirement for authentication limits exposure to insider threats or attackers who have already gained some foothold. However, the stored nature of the XSS means the malicious payload can persist and affect multiple users over time. Organizations relying on MailEssentials AI for email threat protection could face increased risk of targeted attacks, data leakage, or disruption of email services if exploited. The medium severity rating reflects a moderate but tangible risk, especially in high-value or sensitive environments.

To mitigate CVE-2026-23612, organizations should upgrade GFI MailEssentials AI to version 22.4 or later once the patch is released, as this will likely include proper input sanitization and output encoding to prevent stored XSS. Until a patch is available, administrators should restrict access to the IP DNS Blocklist configuration page to the minimum number of trusted users and monitor for suspicious activity. Implement strict input validation and sanitization on any user-supplied data where possible, potentially through web application firewalls (WAFs) that can detect and block malicious scripts. Employ multi-factor authentication (MFA) for all administrative accounts to reduce the risk of compromised credentials being exploited. Regularly audit logs and user activities within the MailEssentials AI management console to detect anomalous behavior. Educate administrators about the risks of XSS and encourage cautious handling of configuration inputs. Finally, consider isolating the management interface from general network access, limiting it to secure management VLANs or VPNs to reduce exposure.