漏洞关键信息 漏洞标题: GFI MailEssentials AI < 22.4 Anti-Spam Anti-Spoofing Description Stored XSS 严重程度: MEDIUM 日期: 2/19/2026 CVE编号: CVE-2026-23616 CVSS V4 分数: 4.0 CVSS V4 向量: AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N 影响版本: GFI MailEssentials AI < 22.4 漏洞类型: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') 参考资料: - GFI MailEssentials Release Notes 发现者: Alex Williams from Pellera Technologies 描述: - GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spoofing configuration page. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$AntiSpoofingGeneral1$TxtSmtpDesc parameter to /MailEssentials/pages/MailSecurity/AntiSpoofing.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.