Primary

Context

GFI MailEssentials AI Directory Enumeration Vulnerability in ListServer Web Method

Vulnerability

Patched

A directory existence enumeration vulnerability has been identified in GFI MailEssentials AI versions prior to 22.4. The issue resides in the ListServer.IsPathExist() web method, accessible at /MailEssentials/pages/MailSecurity/ListServer.aspx/IsPathExist. This vulnerability allows authenticated users to send arbitrary filesystem paths via the JSON key 'path'. The supplied paths are URL-decoded and evaluated using Directory.Exists(), enabling attackers to determine the existence of specific directories on the server.

Impact

Exploitation of this vulnerability allows for arbitrary directory existence enumeration on the server, which could be used as a precursor to further attacks, such as path traversal or file inclusion vulnerabilities.

Remediation

Users are advised to upgrade to GFI MailEssentials AI version 22.4 or later.

Added: Feb 19, 2026, 7:39 PM

Updated: Feb 19, 2026, 9:00 PM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

0.6

exploitability

4.9

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

0.6

exploitability

4.9

remediation

7.7

relevance

3.2

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GFI MailEssentials AI Directory Enumeration Vulnerability in ListServer Web Method

Vulnerability

Impact

Remediation

Affected Products

GFI MailEssentials AI

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating