CVE-2026-23619 is a stored cross-site scripting vulnerability classified under CWE-79, found in GFI Software's MailEssentials AI product versions prior to 22.4. The vulnerability arises from improper neutralization of user-supplied input during web page generation on the Local Domains settings page. Specifically, an authenticated user can supply malicious HTML or JavaScript code through the ctl00$ContentPlaceHolder1$Pv3$txtDescription parameter on the /MailEssentials/pages/MailSecurity/general.aspx endpoint. This input is stored persistently and later rendered in the management interface without adequate sanitization or encoding, allowing the injected script to execute in the context of a logged-in user’s browser session. The vulnerability requires the attacker to have at least authenticated access to the management interface and some user interaction to trigger the malicious script. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), user interaction required (UI:P), and low impact on confidentiality and integrity but no impact on availability. This vulnerability could be leveraged to execute arbitrary scripts, potentially leading to session hijacking, privilege escalation, or unauthorized actions within the management console. Although no known exploits are currently reported in the wild, the vulnerability poses a moderate risk to organizations using vulnerable versions of MailEssentials AI, especially those with multiple administrators or users accessing the management interface. The lack of a patch link suggests that remediation may require updating to version 22.4 or later once available.

The primary impact of CVE-2026-23619 is the potential for attackers with authenticated access to execute arbitrary scripts within the management interface of MailEssentials AI. This can lead to session hijacking, allowing attackers to impersonate legitimate users or administrators, potentially gaining elevated privileges or unauthorized access to sensitive email security configurations. The vulnerability could also facilitate further attacks such as theft of credentials, manipulation of email filtering rules, or insertion of malicious content into email traffic. While the attack requires authentication and user interaction, the stored nature of the XSS increases the risk by persisting the malicious payload for repeated exploitation. Organizations relying on MailEssentials AI for email security may face increased risk of compromise, data leakage, or disruption of email security policies. The medium CVSS score reflects moderate severity, but the actual impact depends on the organization's user access controls and monitoring capabilities. If exploited in high-value environments, the vulnerability could contribute to broader network compromise or data breaches.

To mitigate CVE-2026-23619, organizations should prioritize upgrading GFI MailEssentials AI to version 22.4 or later once the patch is released. Until then, implement strict access controls to limit authenticated user access to trusted personnel only, minimizing the risk of malicious input. Employ web application firewalls (WAFs) with rules to detect and block suspicious input patterns targeting the txtDescription parameter or similar fields. Conduct regular audits of user inputs in the Local Domains settings page and sanitize or remove any suspicious entries. Enable multi-factor authentication (MFA) for all users accessing the management interface to reduce the risk of compromised credentials. Educate administrators about the risks of XSS and encourage cautious behavior when interacting with user-generated content in the management console. Monitor logs for unusual activity or repeated access to the vulnerable page. Finally, implement Content Security Policy (CSP) headers if possible to restrict the execution of unauthorized scripts within the management interface.