CVE-2026-23618 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, affecting GFI Software's MailEssentials AI product versions prior to 22.4. The vulnerability resides in the Spam Keyword Checking (Subject) conditions interface, specifically in the ctl00$ContentPlaceHolder1$pvSubject$TXB_SubjectCondition parameter of the /MailEssentials/pages/MailSecurity/ASKeywordChecking.aspx page. An authenticated user can inject malicious HTML or JavaScript code into this parameter, which is then stored persistently and rendered later within the management interface. Because the injected script executes in the context of a logged-in administrator or user, it can lead to unauthorized actions such as session hijacking, privilege escalation, or manipulation of the management interface. The vulnerability does not require elevated privileges beyond authentication but does require user interaction to trigger the stored payload. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed, with limited confidentiality and integrity impact but no availability impact. No public exploits are currently known, and no official patches were linked at the time of publication. This vulnerability highlights improper input neutralization during web page generation, a common web application security flaw.

The primary impact of this vulnerability is the potential for attackers with valid credentials to execute arbitrary scripts within the management interface of MailEssentials AI. This can lead to session hijacking, theft of sensitive administrative information, unauthorized configuration changes, or pivoting to other parts of the network. Since the vulnerability requires authentication, the risk is somewhat mitigated but remains significant in environments where user credentials may be compromised or where insider threats exist. The stored nature of the XSS means that injected scripts persist and can affect multiple users or sessions. Organizations relying on MailEssentials AI for email security management could face operational disruptions, data leakage, or compromised security postures if exploited. The absence of known exploits reduces immediate risk, but the medium severity score indicates that timely remediation is important to prevent future exploitation.

To mitigate this vulnerability, organizations should upgrade GFI MailEssentials AI to version 22.4 or later once patches are available. In the absence of an official patch, administrators should implement strict input validation and output encoding on the Spam Keyword Checking interface to neutralize HTML and JavaScript content. Restricting access to the management interface to trusted networks and enforcing strong authentication mechanisms, including multi-factor authentication, can reduce the risk of exploitation. Regularly auditing user accounts and privileges to limit access to only necessary personnel will minimize potential attackers. Monitoring logs for unusual activity related to the ASKeywordChecking.aspx page and the specific parameter can help detect attempted exploitation. Additionally, educating administrators about the risks of stored XSS and safe handling of input fields can further reduce exposure.