CVE-2026-9182

Esri ArcGIS Server contains an unrestricted file upload vulnerability. An unauthenticated attacker could exploit this issue by uploading a crafted file to the affected endpoint. Successful exploitation could allow arbitrary file upload, potentially allowing for other attacks. This issue impacts all versions of ArcGIS Server on Windows and Linux 12.0 and prior. This issue does not impact ArcGIS Enterprise for Kubernetes.
Configurations

Configuration 1 (hide)

AND
cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*
OR cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*

History

08 Jul 2026, 16:16

Type Values Removed Values Added
Summary (en) ArcGIS Server contains an unrestricted file upload vulnerability. An unauthenticated attacker could exploit this issue by uploading a crafted file to the affected endpoint. Successful exploitation could allow arbitrary file upload. (en) Esri ArcGIS Server contains an unrestricted file upload vulnerability. An unauthenticated attacker could exploit this issue by uploading a crafted file to the affected endpoint. Successful exploitation could allow arbitrary file upload, potentially allowing for other attacks. This issue impacts all versions of ArcGIS Server on Windows and Linux 12.0 and prior. This issue does not impact ArcGIS Enterprise for Kubernetes.

08 Jul 2026, 15:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 5.3
v2 : unknown
v3 : 9.8

08 Jul 2026, 03:09

Type Values Removed Values Added
CPE cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*
cpe:2.3:a:esri:arcgis_server:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*
First Time Esri arcgis Server
Esri
Linux linux Kernel
Microsoft windows
Linux
Microsoft
References () https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/may-2026-arcgis-security-bulletin - () https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/may-2026-arcgis-security-bulletin - Vendor Advisory

06 Jul 2026, 19:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-06 19:17

Updated : 2026-07-08 16:16


NVD link : CVE-2026-9182

Mitre link : CVE-2026-9182

CVE.ORG link : CVE-2026-9182


JSON object : View

Products Affected

esri

  • arcgis_server

microsoft

  • windows

linux

  • linux_kernel
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type