CVE-2026-23614 is a stored cross-site scripting vulnerability classified under CWE-79, affecting GFI Software's MailEssentials AI versions prior to 22.4. The vulnerability resides in the Sender Policy Framework (SPF) IP Exceptions interface, specifically in the parameter ctl00$ContentPlaceHolder1$pv2$txtIPDescription on the /MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx page. An authenticated user can inject arbitrary HTML or JavaScript code into this parameter, which is then stored persistently on the server. When the stored data is later rendered in the management interface, the malicious script executes in the context of the logged-in user's browser session. This can lead to unauthorized actions such as session hijacking, privilege escalation, or manipulation of the management interface. The attack requires the attacker to have valid login credentials but does not require administrative privileges. The vulnerability is exploitable remotely over the network without user interaction beyond authentication. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L - low privileges), and user interaction required (UI:P). The impact on confidentiality and integrity is low, with no impact on availability. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly.

The primary impact of this vulnerability is the potential for attackers with valid credentials to execute arbitrary scripts within the management interface of MailEssentials AI. This can lead to session hijacking, allowing attackers to impersonate legitimate users or administrators, potentially escalating privileges or performing unauthorized configuration changes. Such unauthorized access could compromise email security policies, leading to increased risk of phishing, spam, or malware delivery through the mail gateway. Additionally, attackers could manipulate the management interface to disrupt normal operations or exfiltrate sensitive configuration data. While the vulnerability requires authentication, many organizations have multiple users with access to the management console, increasing the attack surface. The medium severity rating reflects moderate risk, but the stored nature of the XSS increases persistence and potential damage. Organizations relying on MailEssentials AI for email security could face significant operational and reputational damage if exploited.

Organizations should upgrade GFI MailEssentials AI to version 22.4 or later where this vulnerability is fixed. In the absence of an immediate patch, administrators should restrict access to the management interface to trusted users only and enforce strong authentication mechanisms such as multi-factor authentication to reduce the risk of credential compromise. Input validation and output encoding should be implemented on the txtIPDescription parameter to neutralize HTML and JavaScript content before storage and rendering. Web application firewalls (WAFs) can be configured to detect and block suspicious payloads targeting this parameter. Regular auditing of SPF IP Exceptions entries should be conducted to identify and remove any suspicious or malformed entries. Monitoring for unusual administrative activity and session anomalies can help detect exploitation attempts. Finally, educating users with access about the risks of stored XSS and safe handling of input fields can reduce inadvertent exploitation.