CVE-2026-23610

Medium CVSS: 5.1

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the POP2Exchange configuration endpoint. An authenticated user can supply HTML/JavaScript in the POP3 server login field within the JSON \"popServers\" payload to /MailEssentials/pages/MailSecurity/POP2Exchange.aspx/Save, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.

Vendor

Gfi

Product

Mailessentials

CWE

CWE-79

Yayın Tarihi

2026-02-19 18:24:55

Güncelleme

2026-02-20 17:29:47

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-79 Mailessentials MEDIUM Gfi 2026

Referanslar

https://gfi.ai/products-and-solutions/network-security-solutions/mailessentials/resources/documentation/product-releases https://www.vulncheck.com/advisories/gfi-mailessentials-ai-pop2exchange-pop3-server-login-stored-xss

Benzer Kayıtlar

High

CVE-2026-2036

GFI Archiver MArc.Store Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows…

High

CVE-2026-2037

GFI Archiver MArc.Core Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows…

Critical

CVE-2026-2038

GFI Archiver MArc.Core Missing Authorization Authentication Bypass Vulnerability. This vulnerability allows remote attac…

Critical

CVE-2026-2039

GFI Archiver MArc.Store Missing Authorization Authentication Bypass Vulnerability. This vulnerability allows remote atta…

Medium

CVE-2026-23621

GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the L…

Medium

CVE-2026-23616

GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Anti-Spoofing co…