CVE-2026-23613 MEDIUM

CVE-2026-23613: GFI MailEssentials AI < 22.4 Anti-Spam URI DNS Blocklist Domain Stored XSS

Vendor Gfi Software
Product MailEssentials AI
Weakness CWE-79 · XSS
Published February 19, 2026
Last update May 14, 2026
View on NVD All CVEs

CVSS base score

5.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the URI DNS Blocklist configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_URIs parameter to /MailEssentials/pages/MailSecurity/uridnsblocklist.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.

Key dates

02Disclosure timeline

February 19, 2026 CVE published
May 14, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-51905 WordPress RSV PDF Preview plugin <= 1.0 - Stored Cross Site Scripting (XSS) vulnerability CVE-2023-49078 Cross-Site Scripting vulnerability in raptor-web 0.4.4 CVE-2025-8397 Save as PDF Button <= 1.9.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via restpackpdfbutton Shortcode CVE-2023-3086 Cross-site Scripting (XSS) - Stored in nilsteampassnet/teampass CVE-2024-54049 Adobe Connect | Cross-site Scripting (Reflected XSS) (CWE-79)