Vulnerability Details CVE-2026-23605
GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Attachment Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter to /MailEssentials/pages/MailSecurity/attachmentchecking.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 9.5%
CVSS Severity
CVSS v3 Score 5.4
References
Products affected by CVE-2026-23605
-
cpe:2.3:a:gfi:mailessentials:20
-
cpe:2.3:a:gfi:mailessentials:20.1
-
cpe:2.3:a:gfi:mailessentials:20.2
-
cpe:2.3:a:gfi:mailessentials:20.3
-
cpe:2.3:a:gfi:mailessentials:21.0
-
cpe:2.3:a:gfi:mailessentials:21.1
-
cpe:2.3:a:gfi:mailessentials:21.2
-
cpe:2.3:a:gfi:mailessentials:21.3
-
cpe:2.3:a:gfi:mailessentials:21.4
-
cpe:2.3:a:gfi:mailessentials:21.5
-
cpe:2.3:a:gfi:mailessentials:21.6
-
cpe:2.3:a:gfi:mailessentials:21.7
-
cpe:2.3:a:gfi:mailessentials:21.8