Home/Product/esri arcgis server
Product

esri arcgis server

67 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-2813
all versions
ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit thi
4.7MEDIUM
 CVE-2026-2812
>= 11.1 and <= 12.0
ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated att
5.3MEDIUM
 CVE-2025-67711
<= 11.5
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configuratio
6.1MEDIUM
 CVE-2025-67710
<= 11.5
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configuratio
6.1MEDIUM
 CVE-2025-67709
<= 11.5
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configuratio
6.1MEDIUM
 CVE-2025-67708
<= 11.5
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configuratio
6.1MEDIUM
 CVE-2025-67707
<= 11.5
ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauth
5.6MEDIUM
 CVE-2025-67706
<= 11.5
ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauth
5.6MEDIUM
 CVE-2025-67705
<= 11.5
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configuratio
6.1MEDIUM
 CVE-2025-67704
<= 11.5
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configuratio
6.1MEDIUM
 CVE-2025-67703
<= 11.5
There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configuratio
6.1MEDIUM
 CVE-2025-57870
>= 11.3 and <= 11.5
A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vul
10.0CRITICAL
 CVE-2024-5888
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51966
>= 10.9.1 and <= 11.3
There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote
4.9MEDIUM
 CVE-2024-51963
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authen
4.8MEDIUM
 CVE-2024-51962
>= 10.9.1 and <= 11.3
A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to
8.7HIGH
 CVE-2024-51961
>= 10.9.1 and <= 11.3
There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to
7.5HIGH
 CVE-2024-51960
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51959
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51958
>= 10.9.1 and <= 11.3
There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote
4.9MEDIUM
 CVE-2024-51957
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51956
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51954
>= 10.9.1 and <= 11.3
There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circum
8.5HIGH
 CVE-2024-51953
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51952
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51951
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51950
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51949
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51948
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51947
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51946
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51945
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51944
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-51942
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2024-10904
>= 10.9.1 and <= 11.3
There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authent
4.8MEDIUM
 CVE-2023-25848
>= 10.8.1 and <= 11.0
ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacke
5.3MEDIUM
 CVE-2023-25841
>= 10.8.1 and < 11.1
There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 11.0 and below on Windows and Linux platforms
6.1MEDIUM
 CVE-2023-25840
>= 10.8.1 and < 11.1
There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated
3.4LOW
 CVE-2022-38202
<= 10.9.1
There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remot
7.5HIGH
 CVE-2022-38200
all versions
A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specif
6.1MEDIUM
 CVE-2022-38199
all versions
A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a
6.1MEDIUM
 CVE-2022-38198
<= 10.9.1
There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may al
6.1MEDIUM
 CVE-2022-38197
<= 10.9.1
Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker
6.1MEDIUM
 CVE-2022-38196
<= 10.9.1
Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowin
6.5MEDIUM
 CVE-2022-38195
<= 10.9.1
There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthor
6.1MEDIUM
 CVE-2021-29116
all versions
A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 (only) feature s
6.1MEDIUM
 CVE-2021-29114
<= 10.9.0
A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated a
9.8CRITICAL
 CVE-2021-29113
<= 10.9.0
A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inje
4.7MEDIUM
 CVE-2021-29105
< 10.9.0
A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may allow a re
5.4MEDIUM
 CVE-2021-29104
< 10.9.0
A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthentic
6.1MEDIUM
 CVE-2021-29103
< 10.9.0
A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to
6.1MEDIUM
 CVE-2021-29102
< 10.9.0
A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthent
9.1CRITICAL
 CVE-2021-29107
all versions
A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthentic
6.1MEDIUM
 CVE-2021-29106
< 10.9.0
A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker ab
6.1MEDIUM
 CVE-2021-29099
<= 10.8.1
A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web re
5.3MEDIUM
 CVE-2021-29095
<= 10.8.1
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) al
6.8MEDIUM
 CVE-2021-29094
<= 10.8.1
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows a
6.8MEDIUM
 CVE-2021-29093
<= 10.8.1
A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenti
6.8MEDIUM
 CVE-2020-35712
< 10.8
Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations.
9.8CRITICAL
 CVE-2014-9741
<= 10.2.2
Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Desktop, ArcGIS for Engine, and ArcGIS for Server 10.2.2 an
 CVE-2014-5122
all versions
Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and
 CVE-2014-5121
all versions
Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1.1 allow remote attackers to inject arbitrary we
 CVE-2013-7232
<= 10.2
SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via u
 CVE-2013-7231
all versions
Cross-site scripting (XSS) vulnerability in the Mobile Content Server in ESRI ArcGIS for Server 10.1 and 10.2 allows remote authen
 CVE-2013-5222
all versions
Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1 allow remote authenticated users to inject arbi
 CVE-2013-5221
all versions
The mobile-upload feature in Esri ArcGIS for Server 10.1 through 10.2 allows remote authenticated users to upload .exe files by le
 CVE-2012-4949
all versions
SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via the where
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns TAXII feed Data sources
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh