Esri ArcGIS Server contains an unrestricted file upload vulnerability. An unauthenticated attacker could exploit this issue by uploading a crafted file to the affected endpoint. Successful exploitation could allow arbitrary file upload, potentially allowing for other attacks. This issue impacts all versions of ArcGIS Server on Windows and Linux 12.0 and prior. This issue does not impact ArcGIS Enterprise for Kubernetes.
References
| Link | Resource |
|---|---|
| https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/may-2026-arcgis-security-bulletin | Vendor Advisory |
Configurations
Configuration 1 (hide)
| AND |
|
History
08 Jul 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) Esri ArcGIS Server contains an unrestricted file upload vulnerability. An unauthenticated attacker could exploit this issue by uploading a crafted file to the affected endpoint. Successful exploitation could allow arbitrary file upload, potentially allowing for other attacks. This issue impacts all versions of ArcGIS Server on Windows and Linux 12.0 and prior. This issue does not impact ArcGIS Enterprise for Kubernetes. |
08 Jul 2026, 15:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
08 Jul 2026, 03:09
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:* cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:* |
|
| First Time |
Esri arcgis Server
Esri Linux linux Kernel Microsoft windows Linux Microsoft |
|
| References | () https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/may-2026-arcgis-security-bulletin - Vendor Advisory |
06 Jul 2026, 19:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-06 19:17
Updated : 2026-07-08 16:16
NVD link : CVE-2026-9182
Mitre link : CVE-2026-9182
CVE.ORG link : CVE-2026-9182
JSON object : View
Products Affected
esri
- arcgis_server
microsoft
- windows
linux
- linux_kernel
CWE
CWE-434
Unrestricted Upload of File with Dangerous Type
