Primary

Context

GFI MailEssentials AI Arbitrary File Enumeration Vulnerability in ListServer Web Method

Vulnerability

Patched

GFI MailEssentials AI versions prior to 22.4 have an arbitrary file existence enumeration vulnerability in the ListServer.IsDBExist() web method, located at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsDBExist. This vulnerability allows authenticated users to send unrestricted filesystem paths via the JSON key 'path'. The server URL-decodes this input and passes it to the File.Exists() function, enabling attackers to check for the existence of arbitrary files on the server.

Impact

Exploitation of this vulnerability allows for arbitrary file existence enumeration, where an authenticated user can determine the presence of specific files on the server's filesystem.

Remediation

Users can upgrade to GFI MailEssentials AI version 22.4 or later to address this vulnerability.

Added: Feb 19, 2026, 7:19 PM

Updated: Feb 19, 2026, 8:43 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

0.6

exploitability

4.9

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

0.6

exploitability

4.9

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GFI MailEssentials AI Arbitrary File Enumeration Vulnerability in ListServer Web Method

Vulnerability

Impact

Remediation

Affected Products

GFI MailEssentials AI

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating