Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
GFI MailEssentials: Unrestricted Directory Existence Disclosure
CVE-2026-23621
Summary
GFI MailEssentials versions before 22.4 allow an attacker to determine if certain directories exist on the server by submitting a specially crafted path. This could help an attacker gather information about the server's file system. Update to version 22.4 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gfi | mailessentials | <= 22.4 | – |
Original title
GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecur...
Original description
GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to Directory.Exists(), allowing the attacker to determine whether arbitrary directories exist on the server.
nvd CVSS3.1
4.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-203
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026