CVE-2026-23612 is a stored cross-site scripting vulnerability classified under CWE-79, affecting GFI Software's MailEssentials AI product prior to version 22.4. The flaw resides in the IP DNS Blocklist configuration page, specifically in the ctl00$ContentPlaceHolder1$pv1$TXB_IPs parameter of the /MailEssentials/pages/MailSecurity/ipdnsblocklist.aspx endpoint. An authenticated user can inject arbitrary HTML or JavaScript code into this parameter, which the application stores and subsequently renders within the management interface without proper input sanitization or output encoding. This improper neutralization of input allows the injected script to execute in the security context of a logged-in administrator or user with access to the management console. The vulnerability requires authentication but no elevated privileges beyond that, and user interaction is necessary to trigger the malicious payload. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) reflects network attack vector, low attack complexity, no attack or scope change, low impact on confidentiality and integrity, and partial impact on availability. Although no known exploits are currently in the wild, the vulnerability poses a risk of session hijacking, privilege escalation, or unauthorized actions within the MailEssentials AI management interface. The vulnerability affects organizations using vulnerable versions of MailEssentials AI, a widely deployed email security and anti-spam solution, potentially exposing critical email infrastructure to compromise.

The primary impact of this vulnerability is the potential for attackers with valid credentials to execute arbitrary scripts within the context of the MailEssentials AI management interface. This can lead to session hijacking, allowing attackers to impersonate administrators and perform unauthorized actions such as modifying security policies, disabling protections, or exfiltrating sensitive configuration data. The stored nature of the XSS increases risk as malicious scripts persist and can affect multiple users accessing the interface. Organizations relying on MailEssentials AI for email security may face increased risk of email compromise, spam bypass, or malware delivery if attackers leverage this vulnerability to weaken defenses. The medium CVSS score reflects moderate risk; however, the impact can be significant in environments where administrative credentials are shared or weakly protected. The vulnerability could also facilitate lateral movement within networks if attackers gain administrative control over email security appliances. No public exploits have been reported yet, but the presence of this vulnerability in a critical security product warrants prompt attention to prevent potential targeted attacks.

Organizations should upgrade GFI MailEssentials AI to version 22.4 or later, where this vulnerability is addressed. If immediate patching is not feasible, administrators should restrict access to the MailEssentials AI management interface to trusted networks and users only, employing network segmentation and strong authentication controls such as multi-factor authentication (MFA). Input validation and output encoding should be enforced on the IP DNS Blocklist configuration page to prevent injection of malicious scripts. Monitoring and logging of administrative interface access should be enhanced to detect suspicious activities indicative of exploitation attempts. Additionally, administrators should review and limit the number of users with access to the configuration interface to reduce the attack surface. Regular security awareness training should emphasize the risks of stored XSS and the importance of credential hygiene. Finally, organizations should maintain up-to-date backups of configuration data to enable recovery in case of compromise.