Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1020 CNY

100%
Buy Us a Coffee

CVE-2026-23621— GFI MailEssentials AI < 22.4 ListServer.IsPathExist() Absolute Directory Traversal to File Enumeration

CVSS 4.3 · Medium EPSS 0.04% · P13

Affected Version Matrix 1

VendorProductVersion RangeStatus
GFI SoftwareMailEssentials AI< 22.4affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-23621

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
GFI MailEssentials AI < 22.4 ListServer.IsPathExist() Absolute Directory Traversal to File Enumeration
Source: NVD (National Vulnerability Database)
Vulnerability Description
GFI MailEssentials AI versions prior to 22.4 contain an arbitrary directory existence enumeration vulnerability in the ListServer.IsPathExist() web method exposed at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist. An authenticated user can supply an unrestricted filesystem path via the JSON key \"path\", which is URL-decoded and passed to Directory.Exists(), allowing the attacker to determine whether arbitrary directories exist on the server.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
通过差异性导致的信息暴露
Source: NVD (National Vulnerability Database)
Vulnerability Title
GFI MailEssentials AI 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
GFI MailEssentials AI是美国GFI开源的一个反垃圾邮件与数据泄露防护软件。 GFI MailEssentials AI 22.4之前版本存在安全漏洞,该漏洞源于ListServer.IsPathExist() Web方法存在任意目录存在枚举漏洞,可能导致信息泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
GFI SoftwareMailEssentials AI 0 ~ 22.4 -

II. Public POCs for CVE-2026-23621

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-23621

登录查看更多情报信息。
Vendor · 1

Same Patch Batch · GFI Software · 2026-02-19 · 18 CVEs total

CVE-2026-236115.4 MEDIUMGFI MailEssentials AI < 22.4 Anti-Spam IP Blocklist Description Stored XSS
CVE-2026-236165.4 MEDIUMGFI MailEssentials AI < 22.4 Anti-Spam Anti-Spoofing Description Stored XSS
CVE-2026-236065.4 MEDIUMGFI MailEssentials AI < 22.4 Advanced Content Filtering Rule Stored XSS
CVE-2026-236085.4 MEDIUMGFI MailEssentials AI < 22.4 Email Management Mail Monitoring Rule Stored XSS
CVE-2026-236055.4 MEDIUMGFI MailEssentials AI < 22.4 Attachment Filtering Rule Stored XSS
CVE-2026-236075.4 MEDIUMGFI MailEssentials AI < 22.4 Anti-Spam Whitelist Description Stored XSS
CVE-2026-236135.4 MEDIUMGFI MailEssentials AI < 22.4 Anti-Spam URI DNS Blocklist Domain Stored XSS
CVE-2026-236095.4 MEDIUMGFI MailEssentials AI < 22.4 General Settings Perimeter SMTP Servers Description Stored XS
CVE-2026-236145.4 MEDIUMGFI MailEssentials AI < 22.4 Anti-Spam Sender Policy Framework IP Exceptions Description S
CVE-2026-236045.4 MEDIUMGFI MailEssentials AI < 22.4 Keyword Filtering Rule Stored XSS
CVE-2026-236125.4 MEDIUMGFI MailEssentials AI < 22.4 Anti-Spam IP DNS Blocklist Domain Stored XSS
CVE-2026-236195.4 MEDIUMGFI MailEssentials AI < 22.4 General Settings Local Domains Domain Description Stored XSS
CVE-2026-236175.4 MEDIUMGFI MailEssentials AI < 22.4 Anti-Spam Spam Keyword Checking Body Condition Stored XSS
CVE-2026-236155.4 MEDIUMGFI MailEssentials AI < 22.4 Anti-Spam Sender Policy Framework Email Exceptions Descriptio
CVE-2026-236185.4 MEDIUMGFI MailEssentials AI < 22.4 Anti-Spam Spam Keyword Checking Subject Condition Stored XSS
CVE-2026-236105.4 MEDIUMGFI MailEssentials AI < 22.4 POP2Exchange POP3 Server Login Stored XSS
CVE-2026-236204.3 MEDIUMGFI MailEssentials AI < 22.4 ListServer.IsDbExist() Absolute Directory Traversal to File E

IV. Related Vulnerabilities

Same product: MailEssentials AI
Same vendor: GFI Software
Same weakness: CWE-203

V. Comments for CVE-2026-23621

No comments yet

Leave a comment