CVE-2026-23621: CWE-203 Observable Discrepancy in GFI Software MailEssentials AI
GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to Directory.Exists(), allowing the attacker to determine whether arbitrary directories exist on the server.
AI Analysis
Technical Summary
CVE-2026-23621 describes an arbitrary directory existence enumeration vulnerability in GFI MailEssentials AI versions prior to 22.4. The issue exists in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist. An authenticated user can supply an unrestricted filesystem path via the JSON key "path", which is URL-decoded and passed to the .NET Directory.Exists() function. This allows the attacker to determine whether arbitrary directories exist on the server, potentially aiding further reconnaissance or attack planning. The vulnerability is rated medium severity with a CVSS 4.0 score of 5.3 and does not require user interaction. No patch or vendor advisory is currently provided.
Potential Impact
An authenticated attacker can enumerate the existence of arbitrary directories on the affected server. This information disclosure can assist in further attacks or reconnaissance but does not directly allow code execution or data modification. The impact is limited to information disclosure about the server's filesystem structure.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict authenticated user access to the vulnerable web method if possible and monitor for suspicious activity related to directory enumeration attempts.
CVE-2026-23621: CWE-203 Observable Discrepancy in GFI Software MailEssentials AI
Description
GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to Directory.Exists(), allowing the attacker to determine whether arbitrary directories exist on the server.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-23621 describes an arbitrary directory existence enumeration vulnerability in GFI MailEssentials AI versions prior to 22.4. The issue exists in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist. An authenticated user can supply an unrestricted filesystem path via the JSON key "path", which is URL-decoded and passed to the .NET Directory.Exists() function. This allows the attacker to determine whether arbitrary directories exist on the server, potentially aiding further reconnaissance or attack planning. The vulnerability is rated medium severity with a CVSS 4.0 score of 5.3 and does not require user interaction. No patch or vendor advisory is currently provided.
Potential Impact
An authenticated attacker can enumerate the existence of arbitrary directories on the affected server. This information disclosure can assist in further attacks or reconnaissance but does not directly allow code execution or data modification. The impact is limited to information disclosure about the server's filesystem structure.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict authenticated user access to the vulnerable web method if possible and monitor for suspicious activity related to directory enumeration attempts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-01-14T16:02:29.336Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 69975aafd7880ec89b287c73
Added to database: 2/19/2026, 6:47:11 PM
Last enriched: 5/14/2026, 2:08:15 AM
Last updated: 5/21/2026, 10:24:55 PM
Views: 72
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.