The vulnerability is a stored cross‑site scripting flaw in the Advanced Content Filtering rule creation workflow of GFI MailEssentials AI. An attacker who is authenticated can inject arbitrary HTML or JavaScript via the ctl00$ContentPlaceHolder1$pv1$txtRuleName parameter on the advancedfiltering.aspx page. The payload is stored and later rendered in the management interface, which enables script execution in the context of any logged‑in user. This can lead to session hijacking, defacement, or the execution of malicious commands within the user's browser session.

GFI Software: MailEssentials AI is affected. All versions prior to 22.4 contain the flaw. No further sub‑versions are listed as impacted.

The CVSS score of 5.1 indicates moderate severity, while the EPSS score of less than 1% suggests a very low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Only authenticated users who can create or modify advanced content filtering rules can exploit it; it does not require unauthenticated access or remote code execution. An attacker would need to supply malicious content to the rule‑name field, which is then stored and displayed inside the management console, allowing the injected script to run in the logged‑in user's browser context. No public exploits have been reported, and the limited attack surface reduces the overall risk but it remains important to mitigate.