VYPR

Vendor CVEs

Esri

All CVEs

167 total · sorted by risk
  • CVE-2026-33519CriApr 21, 2026
    risk 0.64cvss 9.8epss 0.00

    An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials.

  • CVE-2026-33518CriApr 21, 2026
    risk 0.64cvss 9.8epss 0.00

    An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged users to create developer credentials that may grant more privileges than expected.

  • CVE-2015-2002CriMar 29, 2018
    risk 0.64cvss 9.8epss 0.02

    The ESRI ArcGis Runtime SDK before 10.2.6-2 for Android might allow attackers to execute arbitrary code by leveraging a finalize method in a Serializable class that improperly passes an attacker-controlled pointer to a native function.

  • CVE-2026-2812MedMay 20, 2026
    risk 0.34cvss 5.3epss 0.00

    ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based…

  • CVE-2026-2813MedMay 20, 2026
    risk 0.31cvss 4.7epss 0.00

    ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended,…

  • CVE-2025-67712MedDec 19, 2025
    risk 0.31cvss 4.7epss 0.00

    There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of…

  • CVE-2024-25700MedApr 4, 2024
    risk 0.31cvss 4.8epss 0.00

    There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Web App Builder versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link that is stored in a web map link which when clicked could potentially…

  • CVE-2025-1726MedFeb 26, 2025
    risk 0.28cvss 4.3epss 0.00

    There is a SQL injection issue in Esri ArcGIS Monitor versions 2023.0 through 2024.x on Windows and Linux that allows a remote, authenticated attacker with low privileges to improperly read limited database schema information by passing crafted queries. While it is possible to…

  • CVE-2012-1661Jul 12, 2012
    risk 0.05cvss epss 0.24

    ESRI ArcMap 9 and ArcGIS 10.0.2.3200 and earlier does not properly prompt users before executing embedded VBA macros, which allows user-assisted remote attackers to execute arbitrary VBA code via a crafted map (.mxd) file.

  • CVE-2007-1770Mar 30, 2007
    risk 0.04cvss epss 0.17

    Buffer overflow in the ArcSDE service (giomgr) in Environmental Systems Research Institute (ESRI) ArcGIS before 9.2 Service Pack 2, when using three tiered ArcSDE configurations, allows remote attackers to cause a denial of service (giomgr crash) and execute arbitrary code via…

  • CVE-2012-4949Nov 14, 2012
    risk 0.03cvss epss 0.04

    SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via the where parameter to a query URI for a REST service.

  • CVE-2005-1394May 3, 2005
    risk 0.03cvss epss 0.01

    Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr.

  • CVE-2024-25693Apr 4, 2024
    risk 0.01cvss epss 0.01

    There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to traverse the file system to access files or execute code outside of the intended directory. 

  • CVE-2026-1446Jan 26, 2026
    risk 0.00cvss epss 0.00

    There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard…

  • CVE-2025-67711Dec 31, 2025
    risk 0.00cvss epss 0.00

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

  • CVE-2025-67710Dec 31, 2025
    risk 0.00cvss epss 0.00

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

  • CVE-2025-67709Dec 31, 2025
    risk 0.00cvss epss 0.00

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

  • CVE-2025-67708Dec 31, 2025
    risk 0.00cvss epss 0.00

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

  • CVE-2025-67707Dec 31, 2025
    risk 0.00cvss epss 0.00

    ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls…

  • CVE-2025-67706Dec 31, 2025
    risk 0.00cvss epss 0.00

    ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls…

  • CVE-2025-67705Dec 31, 2025
    risk 0.00cvss epss 0.00

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

  • CVE-2025-67704Dec 31, 2025
    risk 0.00cvss epss 0.00

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

  • CVE-2025-67703Dec 31, 2025
    risk 0.00cvss epss 0.00

    There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

  • CVE-2025-57870Oct 22, 2025
    risk 0.00cvss epss 0.01

    A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful…

  • CVE-2025-57871Sep 29, 2025
    risk 0.00cvss epss 0.00

    There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.

  • CVE-2025-57872Sep 29, 2025
    risk 0.00cvss epss 0.00

    There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

  • CVE-2025-57873Sep 29, 2025
    risk 0.00cvss epss 0.00

    There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.

  • CVE-2025-57874Sep 29, 2025
    risk 0.00cvss epss 0.00

    There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.

  • CVE-2025-57875Sep 29, 2025
    risk 0.00cvss epss 0.00

    There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.

  • CVE-2025-57877Sep 29, 2025
    risk 0.00cvss epss 0.00

    There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser.

  • CVE-2025-57878Sep 29, 2025
    risk 0.00cvss epss 0.00

    There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

  • CVE-2025-57879Sep 29, 2025
    risk 0.00cvss epss 0.00

    There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks.

  • CVE-2025-57876Sep 29, 2025
    risk 0.00cvss epss 0.00

    There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the…

  • CVE-2025-55107Aug 21, 2025
    risk 0.00cvss epss 0.00

    There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute…

  • CVE-2025-55106Aug 21, 2025
    risk 0.00cvss epss 0.00

    There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary…

  • CVE-2025-55105Aug 21, 2025
    risk 0.00cvss epss 0.00

    There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary…

  • CVE-2025-55104Aug 21, 2025
    risk 0.00cvss epss 0.00

    A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the ability to create or edit a site to add and store an XSS payload. If this stored XSS payload is triggered by any user attacker supplied…

  • CVE-2025-55103Aug 21, 2025
    risk 0.00cvss epss 0.00

    There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary…

  • CVE-2025-4967May 29, 2025
    risk 0.00cvss epss 0.00

    Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections.

  • CVE-2025-2538Mar 20, 2025
    risk 0.00cvss epss 0.01

    A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may allow a remote unauthenticated attacker to gain administrative access to the system.

  • CVE-2024-51966Mar 3, 2025
    risk 0.00cvss epss 0.01

    There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to…

  • CVE-2024-51963Mar 3, 2025
    risk 0.00cvss epss 0.00

    There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. …

  • CVE-2024-51962Mar 3, 2025
    risk 0.00cvss epss 0.00

    A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users…

  • CVE-2024-51961Mar 3, 2025
    risk 0.00cvss epss 0.00

    There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.  Due to the…

  • CVE-2024-51960Mar 3, 2025
    risk 0.00cvss epss 0.00

    There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. …

  • CVE-2024-51959Mar 3, 2025
    risk 0.00cvss epss 0.00

    There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. …

  • CVE-2024-51958Mar 3, 2025
    risk 0.00cvss epss 0.01

    There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory.  There is no impact to…

  • CVE-2024-51957Mar 3, 2025
    risk 0.00cvss epss 0.00

    There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. …

  • CVE-2024-51956Mar 3, 2025
    risk 0.00cvss epss 0.00

    There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. …

  • CVE-2024-51954Mar 3, 2025
    risk 0.00cvss epss 0.00

    There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS…

Page 1 of 4