PT-2026-20900 · Gfi · Gfi Mailessentials

Alex Williams

Published

2026-02-19

Updated

2026-02-23

CVE-2026-23620

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4

Description GFI MailEssentials AI versions before 22.4 have a flaw that allows authenticated users to check for the existence of arbitrary files on the server. This is possible through the ListServer.IsDBExist() web method, accessible at the ''/MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist'' API endpoint. The vulnerability occurs because an attacker can provide an unrestricted filesystem path via the path JSON key. This path is then URL-decoded and used in a File.Exists() function call, enabling file existence enumeration.

Recommendations Update GFI MailEssentials AI to version 22.4 or later.

Fix

Side Channel Attack

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-203

Related Identifiers

CVE-2026-23620

Affected Products

Gfi Mailessentials

PT-2026-20900 · Gfi · Gfi Mailessentials

CVE-2026-23620

Weakness Enumeration

Related Identifiers

Affected Products

References · 6