关键信息 漏洞名称: GFI MailEssentials AI < 22.4 Keyword Filtering Rule Stored XSS 严重性: Medium 日期: 2/19/2026 CVE编号: CVE-2026-23604 CVSS v4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/V:A:N/SC:L/SI:L/SA:N 参考链接: - GFI MailEssentials Release Notes 发现者: Alex Williams from Pellera Technologies 描述: - GFI MailEssentials AI versions prior to 22.4 contain a stored cross-site scripting vulnerability in the Keyword Filtering rule creation workflow. An authenticated user can supply HTML/JavaScript in the ctl00$ContentPlaceHolder1$pv1$TXB_RuleName parameter to /MailEssentials/pages/MailSecurity/contentchecking.aspx, which is stored and later rendered in the management interface, allowing script execution in the context of a logged-in user.