CVE-2026-23618
📋 TL;DR
This stored XSS vulnerability in GFI MailEssentials AI allows authenticated users to inject malicious scripts into the spam keyword checking interface. When administrators view the management interface, the scripts execute in their session context, potentially compromising administrative accounts. This affects organizations using GFI MailEssentials AI versions before 22.4.
💻 Affected Systems
- GFI MailEssentials AI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker with authenticated access could steal administrator session cookies, perform administrative actions as the victim, or pivot to other systems using the compromised account.
Likely Case
Privilege escalation within the MailEssentials application, allowing attackers to modify security settings, access sensitive email data, or maintain persistence.
If Mitigated
Limited to authenticated users only, with proper input validation and output encoding preventing successful exploitation.
🎯 Exploit Status
Exploitation requires authenticated access to the web interface and knowledge of the vulnerable parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 22.4 or later
Vendor Advisory: https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases
Restart Required: Yes
Instructions:
1. Download GFI MailEssentials AI version 22.4 or later from the official vendor portal. 2. Run the installer on the MailEssentials server. 3. Follow the upgrade wizard prompts. 4. Restart the MailEssentials services after installation completes.
🔧 Temporary Workarounds
Input Validation Filter
allImplement web application firewall rules or input validation to block HTML/JavaScript in the vulnerable parameter
Access Restriction
windowsRestrict access to /MailEssentials/pages/MailSecurity/ASKeywordChecking.aspx to trusted administrators only
🧯 If You Can't Patch
- Implement strict input validation on the ctl00$ContentPlaceHolder1$pvSubject$TXB_SubjectCondition parameter to reject HTML/JavaScript content
- Apply output encoding when rendering user-supplied content in the management interface to neutralize script execution
🔍 How to Verify
Check if Vulnerable:
Check if current GFI MailEssentials AI version is below 22.4 in the administration interfaceCheck Version:
Check Help > About in MailEssentials web interface or examine installed programs in Windows Control PanelVerify Fix Applied:
Confirm version is 22.4 or higher and test that HTML/JavaScript input in the spam keyword subject field is properly sanitized📡 Detection & Monitoring
Log Indicators:
- Unusual HTML/JavaScript patterns in spam keyword configuration logs
- Multiple failed login attempts followed by successful authentication and configuration changes
Network Indicators:
- POST requests to /MailEssentials/pages/MailSecurity/ASKeywordChecking.aspx containing script tags or JavaScript in parameters
SIEM Query:
source="mailessentials" AND (uri="/MailEssentials/pages/MailSecurity/ASKeywordChecking.aspx" AND (param="ctl00$ContentPlaceHolder1$pvSubject$TXB_SubjectCondition" AND value CONTAINS "<script>" OR value CONTAINS "javascript:"))