Vulnerability Description
GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Subject) conditions interface. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pvSubject$TXB_SubjectCondition parameter to /MailEssentials/pages/MailSecurity/ASKeywordChecking.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Gfi | Mailessentials | < 22.4 |
Related Weaknesses (CWE)
References
- https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/Release Notes
- https://www.vulncheck.com/advisories/gfi-mailessentials-ai-anti-spam-spam-keyworThird Party Advisory
FAQ
What is CVE-2026-23618?
CVE-2026-23618 is a vulnerability with a CVSS score of 5.4 (MEDIUM). GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Spam Keyword Checking (Subject) conditions interface. An authenticated user can supply HTML/Java...
How severe is CVE-2026-23618?
CVE-2026-23618 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-23618?
Check the references section above for vendor advisories and patch information. Affected products include: Gfi Mailessentials.