GFI MailEssentials AI versions prior to 22.4 allow an authenticated administrator to inject arbitrary HTML or JavaScript into the Anti‑Spoofing configuration page via the ctl00$ContentPlaceHolder1$AntiSpoofingGeneral1$TxtSmtpDesc parameter. The payload is stored and later rendered into the management interface, causing script execution in the browser context of any logged‑in user. This stored XSS flaw can be used to steal session cookies, deface the interface, or execute further malicious actions as the affected user, thereby compromising confidentiality, integrity, and availability of the mail server administration function. The vulnerability is a classic stored cross‑site scripting flaw (CWE‑79).

All GFI Software MailEssentials AI deployments running any version earlier than 22.4 are affected. No specific minor releases are excluded, so any custom or patched build prior to the 22.4 release remains vulnerable.

The CVSS score of 5.1 indicates a medium severity level, while the EPSS value of less than 1% suggests a very low probability of exploitation at this time. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Because the attack requires valid administrator credentials and access to the configuration page, the vector is internal or authenticated web. Once an attacker gains console access, they can inject scripts that run with the privileges of the logged‑in user, potentially leading to data theft, privilege escalation within the web application, or other malicious activities.