Description
GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can supply HTML/JavaScript in the POP3 server login field within the JSON \"popServers\" payload to /MailEssentials/pages/MailSecurity/POP2Exchange.aspx/Save, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.
Published: 2026-02-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross‑site scripting enabling script execution in the context of authenticated users
Action: Apply Patch
AI Analysis

Impact

A stored cross‑site scripting flaw exists in GFI MailEssentials AI versions earlier than 22.4. An authenticated user can supply arbitrary HTML or JavaScript in the POP3 server login field of the JSON popServers payload sent to the POP2Exchange configuration endpoint. The data is persisted and later rendered in the web‑based management interface, enabling the execution of malicious scripts in the context of any logged‑in administrator. This can lead to session hijacking, credential theft, or further lateral movement within the protected network.

Affected Systems

GFI Software MailEssentials AI, all releases before 22.4.

Risk and Exploitability

The flaw carries a CVSS score of 5.1, indicating moderate severity, and an EPSS score below 1 %. The issue is not listed in the CISA KEV catalog, suggesting no known exploitation yet. The attack requires authentication and only affects the user’s own account at first, but later the malicious script runs in the context of any subsequent administrator who views the configuration. Thus, exploitation is moderately likely only if an attacker has or gains privileged credentials.

Generated by OpenCVE AI on April 16, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy the official GFI MailEssentials AI 22.4 update or later to eliminate the stored‑XSS flaw.
  • If an upgrade is not immediately possible, restrict access to the /MailSecurity/POP2Exchange.aspx/Save endpoint so that only trusted administrators can write configuration data.
  • Disable or sanitize the POP3 server login field by configuring input validation or removing the feature from the user interface.

Generated by OpenCVE AI on April 16, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Gfi mailessentials
CPEs cpe:2.3:a:gfi:mailessentials:*:*:*:*:*:*:*:*
Vendors & Products Gfi mailessentials

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gfi
Gfi mailessentials Ai
Vendors & Products Gfi
Gfi mailessentials Ai

Thu, 19 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Thu, 19 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can supply HTML/JavaScript in the POP3 server login field within the JSON \"popServers\" payload to /MailEssentials/pages/MailSecurity/POP2Exchange.aspx/Save, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.
Title GFI MailEssentials AI < 22.4 POP2Exchange POP3 Server Login Stored XSS
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Gfi Mailessentials Mailessentials Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-02T16:46:26.118Z

Reserved: 2026-01-14T16:02:29.334Z

Link: CVE-2026-23610

cve-icon Vulnrichment

Updated: 2026-02-20T19:52:51.278Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T18:24:55.590

Modified: 2026-02-20T17:29:47.100

Link: CVE-2026-23610

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:00:09Z

Weaknesses