VYPR
Vendor

Esri

Products
20
CVEs
167
Across products
197
Status
Private

Products

20

Recent CVEs

167
View all 167 CVEs →
  • CVE-2026-33519CriApr 21, 2026
    risk 0.64cvss 9.8epss 0.00

    An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.

  • CVE-2026-33518CriApr 21, 2026
    risk 0.64cvss 9.8epss 0.00

    An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.

  • CVE-2015-2002CriMar 29, 2018
    risk 0.64cvss 9.8epss 0.02

    The ESRI ArcGis Runtime SDK before 10.2.6-2 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.

  • CVE-2026-2812MedMay 20, 2026
    risk 0.34cvss 5.3epss 0.00

    ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based…

  • CVE-2026-2813MedMay 20, 2026
    risk 0.31cvss 4.7epss 0.00

    ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended,…

  • CVE-2025-67712MedDec 19, 2025
    risk 0.31cvss 4.7epss 0.00

    There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of…

  • CVE-2024-25700MedApr 4, 2024
    risk 0.31cvss 4.8epss 0.00

    There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in a web map link which when clicked could potentially…

  • CVE-2025-1726MedFeb 26, 2025
    risk 0.28cvss 4.3epss 0.00

    There is a SQL injection issue in Esri ArcGIS Monitor versions 2023.0 through 2024.x on Windows and Linux that allows a remote, authenticated attacker with low privileges to improperly read limited database schema information by passing crafted queries. While it is possible to…

  • CVE-2012-1661Jul 12, 2012
    risk 0.05cvss epss 0.24

    ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file.

  • CVE-2007-1770Mar 30, 2007
    risk 0.04cvss epss 0.17

    Buffer overflow in the ArcSDE service (giomgr) in Environmental Systems Research Institute (ESRI) ArcGIS before 9.2 Service Pack 2, when using three tiered ArcSDE configurations, allows remote attackers to cause a denial of service (giomgr crash) and execute arbitrary code via…

  • CVE-2012-4949Nov 14, 2012
    risk 0.03cvss epss 0.04

    SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via the where parameter to a query URI for a REST service.

  • CVE-2005-1394May 3, 2005
    risk 0.03cvss epss 0.01

    Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr.

  • CVE-2024-25693Apr 4, 2024
    risk 0.01cvss epss 0.01

    There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file system to access files or execute code outside of the intended directory. 

  • CVE-2026-1446Jan 26, 2026
    risk 0.00cvss epss 0.00

    There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard…

  • CVE-2025-67711Dec 31, 2025
    risk 0.00cvss epss 0.00

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

  • CVE-2025-67710Dec 31, 2025
    risk 0.00cvss epss 0.00

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

  • CVE-2025-67709Dec 31, 2025
    risk 0.00cvss epss 0.00

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

  • CVE-2025-67708Dec 31, 2025
    risk 0.00cvss epss 0.00

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

  • CVE-2025-67707Dec 31, 2025
    risk 0.00cvss epss 0.00

    ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls…

  • CVE-2025-67706Dec 31, 2025
    risk 0.00cvss epss 0.00

    ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls…