CVE-2026-23613 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting GFI Software MailEssentials AI versions prior to 22.4. The vulnerability resides in the URI DNS Blocklist configuration page, specifically in the ctl00$ContentPlaceHolder1$pv1$TXB_URIs parameter of the /MailEssentials/pages/MailSecurity/uridnsblocklist.aspx endpoint. An authenticated user with access to this configuration page can inject malicious HTML or JavaScript code into this parameter. Because the input is stored persistently and later rendered without proper sanitization or encoding in the management interface, the malicious script executes in the security context of any logged-in user who views the page. This can lead to session hijacking, unauthorized actions, or privilege escalation within the MailEssentials AI management console. The vulnerability requires the attacker to have valid credentials (authenticated user) and some user interaction (viewing the infected page). The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction required. The impact on confidentiality and integrity is limited but non-negligible, as it can facilitate unauthorized access or control over the management interface. No public exploits have been reported yet, but the vulnerability is publicly disclosed and should be addressed promptly. The lack of an official patch link suggests that users should monitor vendor advisories for updates or apply workarounds.

The primary impact of this vulnerability is the potential for attackers with valid credentials to execute arbitrary scripts within the MailEssentials AI management interface. This can lead to session hijacking, allowing attackers to impersonate legitimate administrators or users, potentially gaining unauthorized access to sensitive email security configurations. Attackers could manipulate blocklists, disable protections, or exfiltrate sensitive configuration data. While the vulnerability requires authentication, the risk is significant in environments where multiple users have access to the management console or where credentials may be compromised or shared. Exploitation could undermine the integrity and availability of email security defenses, increasing the risk of successful phishing or malware campaigns. Organizations relying on MailEssentials AI for email security may face increased exposure to targeted attacks and operational disruptions if this vulnerability is exploited.

1. Upgrade to GFI MailEssentials AI version 22.4 or later once an official patch is released to address this vulnerability. 2. Until a patch is available, restrict access to the URI DNS Blocklist configuration page to the minimum necessary set of trusted administrators. 3. Implement strong authentication mechanisms such as multi-factor authentication (MFA) to reduce the risk of credential compromise. 4. Monitor and audit user activities within the management console to detect any suspicious behavior or unauthorized changes. 5. Use web application firewalls (WAFs) with rules to detect and block common XSS payloads targeting the affected parameter. 6. Educate administrators about the risks of stored XSS and safe handling of input fields in the management interface. 7. Regularly review and sanitize any user-supplied inputs in custom configurations to prevent injection of malicious scripts. 8. Limit browser trust levels or isolate management consoles in secure network segments to reduce the impact of potential XSS exploitation.