CVE-2026-23620

GFI MailEssentials AI versions prior to 22.4 contain an arbitrary file existence enumeration vulnerability in the ListServer.IsDBExist web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist. An authenticated user can supply an unrestricted filesystem path via the JSON...

CVE-2026-23620

GFI MailEssentials AI (versions prior to 22.4) contains an information-disclosure vulnerability in ListServer.IsDBExist() at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist. An authenticated user can provide an unrestricted filesystem path in the JSON key "path" (URL-decoded and pass...