CVE-2026-23613 is a stored cross-site scripting vulnerability classified under CWE-79, found in GFI Software's MailEssentials AI product prior to version 22.4. The vulnerability resides in the URI DNS Blocklist configuration page (/MailEssentials/pages/MailSecurity/uridnsblocklist.aspx), specifically in the ctl00$ContentPlaceHolder1$pv1$TXB_URIs parameter. An authenticated user can inject arbitrary HTML or JavaScript code into this parameter, which is then stored persistently and rendered in the management interface. When a privileged user accesses the affected page, the malicious script executes in their browser context, potentially allowing theft of session cookies, unauthorized actions, or further compromise of the administrative interface. The attack vector requires network access to the management interface and user authentication but does not require elevated privileges beyond standard user login. The vulnerability's CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N) indicates network attack vector, low attack complexity, no attack or scope change, privileges required at the user level, and user interaction needed. The impact on confidentiality and integrity is limited but non-negligible, as it can lead to session hijacking or unauthorized administrative actions. No public exploits have been reported, and no official patches are linked yet, but the issue is publicly disclosed and should be addressed promptly.

The primary impact of this vulnerability is the potential compromise of the administrative interface of GFI MailEssentials AI, which is critical for email security management. Successful exploitation could allow an attacker to execute arbitrary scripts in the context of an authenticated administrator, leading to session hijacking, credential theft, or unauthorized configuration changes. This could degrade the integrity and confidentiality of the email security infrastructure, potentially allowing malicious emails to bypass filters or enabling further lateral movement within an organization's network. Although the vulnerability requires authentication and user interaction, the risk remains significant in environments where multiple users have access to the management console or where credential compromise is possible. Organizations relying on MailEssentials AI for email threat protection could face increased exposure to phishing, malware, or data leakage if this vulnerability is exploited.

Organizations should immediately upgrade GFI MailEssentials AI to version 22.4 or later once available, as this will contain the necessary fixes to neutralize the XSS vulnerability. In the interim, administrators should restrict access to the management interface to trusted networks and users only, employing network segmentation and VPNs to limit exposure. Implement strict input validation and output encoding on the URI DNS Blocklist configuration page to prevent injection of malicious scripts. Employ Content Security Policy (CSP) headers to reduce the impact of potential script execution. Regularly audit user accounts and permissions to minimize the number of users with access to the vulnerable interface. Monitor logs for unusual activity related to the URI DNS Blocklist page and consider deploying web application firewalls (WAFs) with custom rules to detect and block suspicious payloads targeting this parameter. Educate administrators about the risks of clicking unknown links or opening suspicious pages within the management console.