Description
GFI MailEssentials AI versions prior to 22.4 contain an arbitrary file existence enumeration vulnerability in the ListServer.IsDBExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to File.Exists(), allowing the attacker to determine whether arbitrary files exist on the server.
Published: 2026-02-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch Now
AI Analysis

Impact

An authenticated user can supply an unrestricted, URL‑decoded filesystem path through the JSON "path" key of the ListServer.IsDBExist web method, causing ServerSide code to call File.Exists and return the existence status of any target file. This flaw allows the attacker to enumerate arbitrary files on the MailEssentials AI server, revealing sensitive file locations and potentially facilitating subsequent attacks such as credential theft or code execution through other vulnerabilities. The weakness is a classic input validation flaw (CWE-203) that directly leads to disclosure of internal system information.

Affected Systems

The vulnerability affects GFI Software MailEssentials AI versions prior to 22.4, specifically the ListServer.IsDBExist endpoint located at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist. Users with valid authentication against the application can exploit the flaw; no unauthenticated access is required.

Risk and Exploitability

The CVSS score is 5.3, indicating medium severity, while the EPSS score is below 1%, reflecting a very low exploitation probability as of this analysis. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to obtain valid credentials and craft a request to the vulnerable endpoint, then supply arbitrary paths. The practical impact is limited to knowledge of file existence, but it can be a stepping stone toward more serious attacks when combined with other weaknesses.

Generated by OpenCVE AI on April 16, 2026 at 16:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GFI MailEssentials AI to version 22.4 or later.
  • Restrict authenticated access to the ListServer.IsDBExist endpoint by implementing least‑privilege policies or role‑based access controls.
  • If a patch is unavailable, disable the ListServer module or remove access to the /MailSecurity/ListServer.aspx/IsDBExist path from untrusted networks.

Generated by OpenCVE AI on April 16, 2026 at 16:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 17:30:00 +0000

Type Values Removed Values Added
First Time appeared Gfi mailessentials
CPEs cpe:2.3:a:gfi:mailessentials:*:*:*:*:*:*:*:*
Vendors & Products Gfi mailessentials

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Gfi
Gfi mailessentials Ai
Vendors & Products Gfi
Gfi mailessentials Ai

Thu, 19 Feb 2026 20:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Thu, 19 Feb 2026 18:15:00 +0000

Type Values Removed Values Added
Description GFI MailEssentials AI versions prior to 22.4 contain an arbitrary file existence enumeration vulnerability in the ListServer.IsDBExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to File.Exists(), allowing the attacker to determine whether arbitrary files exist on the server.
Title GFI MailEssentials AI < 22.4 ListServer.IsDbExist() Absolute Directory Traversal to File Enumeration
Weaknesses CWE-203
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Gfi Mailessentials Mailessentials Ai
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-02T16:46:34.142Z

Reserved: 2026-01-14T16:02:29.335Z

Link: CVE-2026-23620

cve-icon Vulnrichment

Updated: 2026-02-20T20:17:31.197Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T18:24:57.973

Modified: 2026-02-20T17:22:08.900

Link: CVE-2026-23620

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:00:09Z

Weaknesses