CVE-2026-23621
Directory Enumeration Vulnerability in GFI MailEssentials AI Web Method
Publication date: 2026-02-19
Last updated on: 2026-02-20
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gfi | mailessentials | to 22.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-203 | The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in GFI MailEssentials AI versions prior to 22.4. It is an arbitrary directory existence enumeration issue found in the ListServer.IsPathExist() web method, which is accessible at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist.
An authenticated user can provide any filesystem path through the JSON key "path". This input is URL-decoded and then passed to the Directory.Exists() function, which allows the attacker to check if arbitrary directories exist on the server.
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to enumerate directories on the server's filesystem. By determining the existence of directories, an attacker can gather information about the server's file structure, which may aid in further attacks or exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know