CVE-2026-23615 Overview
CVE-2026-23615 is a stored cross-site scripting (XSS) vulnerability in GFI MailEssentials AI versions prior to 22.4. The flaw resides in the Sender Policy Framework (SPF) Email Exceptions interface at /MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx. An authenticated user can submit HTML or JavaScript payloads through the ctl00$ContentPlaceHolder1$pv4$txtEmailDescription parameter. The application persists the input and later renders it without proper output encoding in the management console. The injected script executes in the browser context of any administrator who views the affected page, enabling session theft, configuration tampering, and lateral actions within the management interface.
Critical Impact
An authenticated attacker can persist JavaScript that executes in the browser of any logged-in administrator viewing the SPF Email Exceptions interface, enabling account takeover and unauthorized mail-security configuration changes.
Affected Products
- GFI MailEssentials AI versions prior to 22.4
- Component: Sender Policy Framework Email Exceptions module
- Endpoint: /MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx
Discovery Timeline
- 2026-02-19 - CVE-2026-23615 published to NVD
- 2026-02-20 - Last updated in NVD database
Technical Details for CVE-2026-23615
Vulnerability Analysis
The vulnerability is a stored cross-site scripting flaw classified under [CWE-79]. The SPF Email Exceptions feature accepts a free-form description field used to annotate sender policy entries. The application stores this description server-side and reflects it back into the administrative web interface when the SPF configuration page is rendered.
The input is not sanitized on storage, and the output is not contextually encoded when written into the HTML response. As a result, the browser parses attacker-supplied markup as executable content. The XSS executes with the privileges of the authenticated administrator who loads the affected page. The attacker leverages the persisted payload to read session cookies, issue authenticated requests, or pivot to other administrative functions exposed by MailEssentials.
Root Cause
The root cause is missing output encoding of the ctl00$ContentPlaceHolder1$pv4$txtEmailDescription field when it is rendered back to the SPF management view. The server-side ASP.NET handler trusts the stored value and emits it directly into the HTML document body, allowing <script> tags and event-handler attributes to be interpreted by the browser.
Attack Vector
Exploitation requires an authenticated session with permission to modify SPF Email Exceptions. The attacker submits a crafted POST request to SenderPolicyFramework.aspx containing a JavaScript payload in the description parameter. The payload triggers when an administrator subsequently opens the SPF Email Exceptions view. User interaction is required on the victim side. No verified public proof-of-concept is currently available. See the VulnCheck Advisory for GFI MailEssentials for additional technical detail.
Detection Methods for CVE-2026-23615
Indicators of Compromise
- POST requests to /MailEssentials/pages/MailSecurity/SenderPolicyFramework.aspx containing HTML tags or script syntax in the ctl00$ContentPlaceHolder1$pv4$txtEmailDescription parameter.
- Stored SPF exception descriptions containing <script>, onerror=, onload=, or javascript: substrings.
- Outbound requests from administrator browsers to unfamiliar hosts immediately after loading the SPF management page.
Detection Strategies
- Inspect web server access logs for POST bodies to the SPF endpoint with URL-encoded angle brackets or known XSS keywords.
- Query the MailEssentials configuration store for SPF exception entries whose description field contains HTML control characters.
- Deploy a web application firewall rule that flags script-like syntax submitted to the txtEmailDescription parameter.
Monitoring Recommendations
- Monitor administrator authentication events and correlate with anomalous changes to SPF exception lists.
- Alert on Content Security Policy violations originating from MailEssentials administrative pages.
- Review audit logs for SPF policy modifications performed by accounts that do not normally manage mail security.
How to Mitigate CVE-2026-23615
Immediate Actions Required
- Upgrade GFI MailEssentials AI to version 22.4 or later as published in the GFI MailEssentials Release Documentation.
- Audit existing SPF Email Exceptions for description fields containing HTML or script content and remove offending entries.
- Restrict access to the MailEssentials administrative interface to a limited set of trusted administrators and source networks.
Patch Information
GFI has remediated the issue in MailEssentials AI version 22.4. Administrators should consult the vendor release documentation and apply the corresponding update package. After patching, re-validate that stored description fields are correctly encoded on render.
Workarounds
- Limit SPF management permissions to a minimum set of accounts using role-based access control.
- Place the MailEssentials administrative interface behind a network restriction or VPN to reduce exposure to authenticated attackers.
- Enforce browser-side protections such as a strict Content Security Policy on the management interface to constrain inline script execution.
# Verify the installed MailEssentials version on the host
# (run from the MailEssentials installation directory on Windows)
powershell -Command "Get-ItemProperty 'HKLM:\SOFTWARE\GFI\MailEssentials' | Select-Object CurrentVersion"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
