Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
GFI MailEssentials AI versions prior to 22.4 allow file existence checks
CVE-2026-23620
Summary
GFI MailEssentials AI versions before 22.4 have a security flaw that allows an attacker to see if specific files exist on your server. This could potentially reveal sensitive information about your server's configuration or data. Update to version 22.4 or later to fix this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| gfi | mailessentials | <= 22.4 | – |
Original title
GFI MailEssentials AI versions prior to 22.4 contain an arbitrary file existence enumeration vulnerability in the ListServer.IsDBExist() web method exposed at /MailEssentials/pages/MailSecurity/Lis...
Original description
GFI MailEssentials AI versions prior to 22.4 contain an arbitrary file existence enumeration vulnerability in the ListServer.IsDBExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to File.Exists(), allowing the attacker to determine whether arbitrary files exist on the server.
nvd CVSS3.1
4.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-203
Published: 19 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026