Stored Cross-Site Scripting Vulnerability in GFI MailEssentials AI
CVE-2026-23604

5.1MEDIUM

Key Information:

Vendor: Gfi Software
Status: Mailessentials Ai
Vendor: CVE Published:; 19 February 2026

🔔 Create Gfi Software Vulnerability Alert

What is CVE-2026-23604?

GFI MailEssentials AI versions prior to 22.4 are susceptible to a stored cross-site scripting (XSS) vulnerability due to improper handling of user-provided data within the Keyword Filtering rule creation workflow. An authenticated user can inject HTML or JavaScript code into the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter to /MailEssentials/pages/MailSecurity/contentchecking.aspx. The malicious script is then stored and executed in the context of any user viewing the management interface, potentially exposing sensitive information and allowing unauthorized actions.

Affected Version(s)

MailEssentials AI 0 < 22.4

References

https://gfi.ai/products-and-solutions/network-security-so...

release-notespatch

https://www.vulncheck.com/advisories/gfi-mailessentials-a...

third-party-advisory

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Jan 14, 2026

Credit

Alex Williams from Pellera Technologies

VulnCheck

CVE-2026-23604 Data

JSON