CVE-2026-23611— GFI MailEssentials AI < 22.4 Anti-Spam IP Blocklist Description Stored XSS
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-23611
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
GFI MailEssentials AI < 22.4 Anti-Spam IP Blocklist Description Stored XSS
Source: NVD (National Vulnerability Database)
Vulnerability Description
GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the IP Blocklist management page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$txtIPDescription parameter to /MailEssentials/pages/MailSecurity/ipblocklist.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
GFI MailEssentials AI 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
GFI MailEssentials AI是美国GFI开源的一个反垃圾邮件与数据泄露防护软件。 GFI MailEssentials AI 22.4之前版本存在安全漏洞,该漏洞源于IP Blocklist管理页面存在存储型跨站脚本漏洞,可能导致脚本执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| GFI Software | MailEssentials AI | 0 ~ 22.4 | - |
II. Public POCs for CVE-2026-23611
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-23611
请登录查看更多情报信息。
Same Patch Batch · GFI Software · 2026-02-19 · 18 CVEs total
| CVE-2026-23609 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 General Settings Perimeter SMTP Servers Description Stored XS |
| CVE-2026-23616 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Anti-Spam Anti-Spoofing Description Stored XSS |
| CVE-2026-23606 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Advanced Content Filtering Rule Stored XSS |
| CVE-2026-23608 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Email Management Mail Monitoring Rule Stored XSS |
| CVE-2026-23605 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Attachment Filtering Rule Stored XSS |
| CVE-2026-23607 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Anti-Spam Whitelist Description Stored XSS |
| CVE-2026-23613 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Anti-Spam URI DNS Blocklist Domain Stored XSS |
| CVE-2026-23614 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Anti-Spam Sender Policy Framework IP Exceptions Description S |
| CVE-2026-23604 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Keyword Filtering Rule Stored XSS |
| CVE-2026-23612 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Anti-Spam IP DNS Blocklist Domain Stored XSS |
| CVE-2026-23619 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 General Settings Local Domains Domain Description Stored XSS |
| CVE-2026-23617 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Anti-Spam Spam Keyword Checking Body Condition Stored XSS |
| CVE-2026-23615 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Anti-Spam Sender Policy Framework Email Exceptions Descriptio |
| CVE-2026-23618 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 Anti-Spam Spam Keyword Checking Subject Condition Stored XSS |
| CVE-2026-23610 | 5.4 MEDIUM | GFI MailEssentials AI < 22.4 POP2Exchange POP3 Server Login Stored XSS |
| CVE-2026-23620 | 4.3 MEDIUM | GFI MailEssentials AI < 22.4 ListServer.IsDbExist() Absolute Directory Traversal to File E |
| CVE-2026-23621 | 4.3 MEDIUM | GFI MailEssentials AI < 22.4 ListServer.IsPathExist() Absolute Directory Traversal to File |
IV. Related Vulnerabilities
Same product: MailEssentials AI
- CVE-2026-23621
GFI MailEssentials AI < 22.4 ListServer.IsPathExist() Absolu - CVE-2026-23620
GFI MailEssentials AI < 22.4 ListServer.IsDbExist() Absolute - CVE-2026-23619
GFI MailEssentials AI < 22.4 General Settings Local Domains - CVE-2026-23618
GFI MailEssentials AI < 22.4 Anti-Spam Spam Keyword Checking - CVE-2026-23617
GFI MailEssentials AI < 22.4 Anti-Spam Spam Keyword Checking
Same vendor: GFI Software
- CVE-2026-23753
GFI HelpDesk < 4.99.9 Stored XSS via charset Parameter - CVE-2026-23752
GFI HelpDesk < 4.99.9 Stored XSS via companyname Parameter - CVE-2026-23756
GFI HelpDesk < 4.99.9 Stored XSS via Troubleshooter Step Sub - CVE-2026-23758
GFI HelpDesk < 4.99.9 Stored XSS via editsubject Parameter - CVE-2026-23757
GFI HelpDesk < 4.99.10 Stored XSS via Reports Module
Same weakness: CWE-79
- CVE-2026-8262
Devs Palace ERP Online chart-save cross site scripting - CVE-2026-8256
Devs Palace ERP Online mr-save cross site scripting - CVE-2026-8255
Devs Palace ERP Online add_new_customer cross site scripting - CVE-2026-8254
Devs Palace ERP Online sales_save cross site scripting - CVE-2026-8253
Devs Palace ERP Online purchase_save cross site scripting
V. Comments for CVE-2026-23611
No comments yet