Mail Express® is NOT vulnerable to the Apache Commons Library exploit


  • Mail Express®, all versions


Mail Express is not vulnerable to the Apache Commons Library exploit, because Mail Express doesn’t use any of the vulnerable code paths.

As described at, there is a security vulnerability in the Apache Commons Library, which is used by Mail Express.

Globalscape’s Engineering team has validated that Mail Express uses the Apache Commons Library in question; however, it was determined that Mail Express does not use InvokerTransformer, which is the area of code that makes this vulnerability exploitable.

Globalscape is exploring two options: (1) Updating the Apache Commons Library to the latest version which mitigates the vulnerability or (2) removing the InvokerTransformer class from the library, as we are not using it.

Because Mail Express is not affected, customers may continue to use the product without concern. However, customers can upgrade to a later version of Mail Express (when available) to pass internal security audits or scans that check for the affected version of the Apache Commons Library.

A future update of Mail Express should include this change.