CVE-2026-23605
MEDIUMCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2Tags
Description
GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter to /MailEssentials/pages/MailSecurity/attachmentchecking.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.
Analysis
GFI MailEssentials AI versions before 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation feature that allows authenticated users to inject malicious scripts into rule names, which execute when administrators access the management interface. An attacker with valid credentials can exploit this to perform actions on behalf of logged-in administrators or steal sensitive information from the management dashboard. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. Verify Content-Security-Policy and output encoding.
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today