CVE-2026-23621

Name of the Vulnerable Software and Affected Versions GFI MailEssentials AI versions prior to 22.4

Description The software contains an arbitrary directory existence enumeration issue in the ListServer.IsPathExist() web method, accessible via the API endpoint '/MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist'. An authenticated user can provide an unrestricted filesystem path through the JSON key path, which is URL-decoded and then used in the Directory.Exists() function. This allows an attacker to determine if arbitrary directories exist on the server.

Recommendations Update to version 22.4 or later.