Total
65 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-67707 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-02-20 | N/A | 5.6 MEDIUM |
| ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation. | |||||
| CVE-2025-67706 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-02-19 | N/A | 5.6 MEDIUM |
| ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation. | |||||
| CVE-2024-51962 | 1 Esri | 1 Arcgis Server | 2026-02-13 | N/A | 8.7 HIGH |
| A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability. | |||||
| CVE-2024-51954 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-02-13 | N/A | 8.5 HIGH |
| There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server instance. Successful exploitation results in unauthorized access to protected services outside the attacker’s originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a high impact on confidentiality, a low impact on integrity, and no impact on the availability of the software. | |||||
| CVE-2025-67703 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-01-06 | N/A | 6.1 MEDIUM |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | |||||
| CVE-2025-67704 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-01-06 | N/A | 6.1 MEDIUM |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | |||||
| CVE-2025-67705 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-01-06 | N/A | 6.1 MEDIUM |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | |||||
| CVE-2025-67708 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-01-06 | N/A | 6.1 MEDIUM |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | |||||
| CVE-2025-67709 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-01-06 | N/A | 6.1 MEDIUM |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | |||||
| CVE-2025-67710 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-01-06 | N/A | 6.1 MEDIUM |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | |||||
| CVE-2025-67711 | 3 Esri, Linux, Microsoft | 3 Arcgis Server, Linux Kernel, Windows | 2026-01-06 | N/A | 6.1 MEDIUM |
| There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser. | |||||
| CVE-2025-57870 | 4 Esri, Kubernetes, Linux and 1 more | 4 Arcgis Server, Kubernetes, Linux Kernel and 1 more | 2025-10-31 | N/A | 10.0 CRITICAL |
| A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase. | |||||
| CVE-2014-9741 | 1 Esri | 3 Arcgis For Desktop, Arcgis For Engine, Arcgis Server | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Desktop, ArcGIS for Engine, and ArcGIS for Server 10.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2014-5122 | 1 Esri | 1 Arcgis Server | 2025-04-12 | 5.8 MEDIUM | N/A |
| Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via an unspecified parameter, related to login. | |||||
| CVE-2014-5121 | 1 Esri | 1 Arcgis Server | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1.1 allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. | |||||
| CVE-2013-5222 | 1 Esri | 1 Arcgis Server | 2025-04-11 | 3.5 LOW | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2012-4949 | 1 Esri | 1 Arcgis Server | 2025-04-11 | 6.5 MEDIUM | N/A |
| SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via the where parameter to a query URI for a REST service. | |||||
| CVE-2013-5221 | 1 Esri | 1 Arcgis Server | 2025-04-11 | 3.5 LOW | N/A |
| The mobile-upload feature in Esri ArcGIS for Server 10.1 through 10.2 allows remote authenticated users to upload .exe files by leveraging (1) publisher or (2) administrator privileges. | |||||
| CVE-2013-7232 | 1 Esri | 1 Arcgis Server | 2025-04-11 | 7.5 HIGH | N/A |
| SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via unspecified input to the map or feature service. | |||||
| CVE-2013-7231 | 1 Esri | 1 Arcgis Server | 2025-04-11 | 3.5 LOW | N/A |
| Cross-site scripting (XSS) vulnerability in the Mobile Content Server in ESRI ArcGIS for Server 10.1 and 10.2 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2013-5222. | |||||