GFI MailEssentials versions before 22.4: Stored JavaScript injection in management interface

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.1

GFI MailEssentials versions before 22.4: Stored JavaScript injection in management interface

CVE-2026-23604

Summary

If an attacker has an account on the system, they can inject malicious code into the management interface, which could let them take control of the system or steal sensitive information. This affects all versions of GFI MailEssentials before 22.4. Update to version 22.4 or later to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
gfi	mailessentials	<= 22.4	–

Original title

Original description

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Keyword Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter to /MailEssentials/pages/MailSecurity/contentchecking.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.

nvd CVSS3.1 5.4

nvd CVSS4.0 5.1

Vulnerability type

CWE-79 Cross-site Scripting (XSS)

https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/... Release Notes
https://www.vulncheck.com/advisories/gfi-mailessentials-ai-keyword-filtering-rul... Third Party Advisory

Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026