Arcgis Server

ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulting in a limited confidentiality impact under specific user interaction conditions. The vulnerability affects only the client side navigation logic during authentication and remains confined to the same security boundary. No server side compromise or cross component impact is possible.  This issue affects ArcGIS Server 11.5.

Published: 2026-05-20T17:51:51.061Z
Updated: 2026-05-20T19:29:23.736Z

ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This issue affects ArcGIS Server 12.0 and earlier.

Published: 2026-05-20T17:47:40.451Z
Updated: 2026-05-20T19:30:36.857Z

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

Published: 2025-12-31T22:18:57.223Z
Updated: 2026-01-02T14:01:30.326Z

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

Published: 2025-12-31T22:18:17.106Z
Updated: 2026-01-02T14:10:36.512Z

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

Published: 2025-12-31T22:17:41.083Z
Updated: 2026-01-02T15:30:05.175Z

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

Published: 2025-12-31T22:17:08.738Z
Updated: 2026-01-02T15:30:53.302Z

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation.

Published: 2025-12-31T22:16:14.745Z
Updated: 2026-02-19T19:11:02.766Z

ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and prevent modification or replacement of existing application components or system configurations. Uploaded files cannot be executed, leveraged to escalate privileges, or used to access sensitive data. Because the issue does not enable execution, service disruption, unauthorized access, or integrity compromise, its impact on confidentiality, integrity, and availability is low. Note that race conditions, secret values, or man‑in‑the‑middle conditions are required for exploitation.

Published: 2025-12-31T22:15:44.035Z
Updated: 2026-02-19T19:10:19.946Z

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

Published: 2025-12-31T22:15:05.494Z
Updated: 2026-01-02T15:42:45.894Z

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

Published: 2025-12-31T22:14:32.216Z
Updated: 2026-01-02T15:43:20.560Z

There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenticated attacker to store files that contain malicious code that may execute in the context of a victim’s browser.

Published: 2025-12-31T22:13:12.983Z
Updated: 2026-01-02T16:09:05.399Z

A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification, or deletion of data from the underlying Enterprise Geodatabase.

Published: 2025-10-22T14:26:22.857Z
Updated: 2026-02-26T16:57:13.694Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:36:56.864Z
Updated: 2025-04-10T19:22:18.895Z

There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory. There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.

Published: 2025-03-03T19:59:14.080Z
Updated: 2025-04-10T19:29:07.421Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:59:01.450Z
Updated: 2025-04-10T19:22:58.294Z

A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges are required. Successful exploitation would have a high impact on integrity and confidentiality, with no impact on availability.

Published: 2025-03-03T19:58:48.928Z
Updated: 2026-02-06T06:08:07.932Z

There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server.  Due to the nature of the files accessible in this vulnerability the impact to confidentiality is High there is no impact to both integrity or availability.

Published: 2025-03-03T19:58:26.627Z
Updated: 2025-04-10T19:25:47.824Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:58:12.620Z
Updated: 2025-04-10T19:33:55.565Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:58:02.105Z
Updated: 2025-04-10T19:25:07.548Z

There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote authenticated attacker with admin privileges to traverse the file system to access files outside of the intended directory.  There is no impact to integrity or availability due to the nature of the files that can be accessed, but there is a potential high impact to confidentiality.

Published: 2025-03-03T19:57:48.374Z
Updated: 2025-04-10T19:26:38.749Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:57:35.813Z
Updated: 2025-04-10T19:24:28.253Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:53:44.566Z
Updated: 2025-04-10T19:34:30.728Z

There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server instance. Successful exploitation results in unauthorized access to protected services outside the attacker’s originally assigned authorization boundary, constituting a scope change. If exploited, this issue would have a high impact on confidentiality, a low impact on integrity, and no impact on the availability of the software.

Published: 2025-03-03T19:53:21.215Z
Updated: 2026-02-06T06:06:30.794Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:53:12.451Z
Updated: 2025-04-10T19:23:50.558Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:53:02.131Z
Updated: 2025-04-10T19:29:48.194Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:52:51.058Z
Updated: 2025-04-10T19:35:05.865Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:39:24.565Z
Updated: 2025-04-10T19:36:18.542Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:39:14.394Z
Updated: 2025-04-10T19:33:14.560Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:38:56.660Z
Updated: 2025-04-10T19:32:33.258Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:38:46.337Z
Updated: 2025-04-10T19:31:55.130Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:38:35.952Z
Updated: 2025-04-10T19:31:05.927Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:38:22.201Z
Updated: 2025-04-10T19:35:39.648Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:38:10.721Z
Updated: 2025-04-10T19:30:28.196Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:37:30.716Z
Updated: 2025-04-10T19:28:26.264Z

There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated attacker to create a stored crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. The privileges required to execute this attack are high, requiring publisher capabilities. The impact is low to both confidentiality and integrity while having no impact to availability.

Published: 2025-03-03T19:37:16.214Z
Updated: 2025-04-10T19:37:32.457Z

ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may submit a crafted query that may result in a low severity information disclosure issue. The information disclosed is limited to a single attribute in a database connection string. No business data is disclosed.

Published: 2023-08-25T18:44:14.016Z
Updated: 2024-10-08T16:33:52.950Z

There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 11.0 and below on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser. Mitigation: Disable anonymous access to ArcGIS Feature services with edit capabilities.

Published: 2023-07-21T18:38:24.437Z
Updated: 2025-04-10T18:43:52.035Z

There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser.  The privileges required to execute this attack are high.

Published: 2023-07-21T18:37:34.431Z
Updated: 2025-04-10T18:43:16.338Z

There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets).

Published: 2022-12-28T00:00:00.000Z
Updated: 2025-04-10T14:55:14.901Z

A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically crafted web requests can execute arbitrary JavaScript in the context of the victim's browser.

Published: 2022-10-25T16:31:44.000Z
Updated: 2025-04-10T14:56:29.402Z

A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim's PATH environment. Current browsers provide users with warnings against running unsigned executables downloaded from the internet.

Published: 2022-10-25T16:31:49.102Z
Updated: 2025-04-10T14:56:20.074Z

There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a remote, unauthenticated attacker to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

Published: 2022-10-25T16:31:53.820Z
Updated: 2025-04-10T14:56:12.281Z

Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter.

Published: 2022-10-25T16:31:58.136Z
Updated: 2025-04-10T14:55:58.805Z

Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory.

Published: 2022-10-25T16:32:04.168Z
Updated: 2025-04-10T14:55:48.363Z

There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the victim’s browser.

Published: 2022-10-25T16:32:09.865Z
Updated: 2025-04-10T14:55:37.078Z

A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 (only) feature services may allow a remote, unauthenticated attacker to pass and store malicious strings via crafted queries which when accessed could potentially execute arbitrary JavaScript code in the user’s browser.

Published: 2021-12-07T11:00:53.382Z
Updated: 2025-04-10T14:58:53.616Z

An information disclosure vulnerability in the ArcGIS Service Directory in Esri ArcGIS Enterprise versions 10.9.0 and below may allows a remote attacker to view hidden field names in feature layers. This issue may reveal field names, but not not disclose features.

Published: 2021-12-07T10:56:55.260Z
Updated: 2025-04-10T14:59:02.069Z

A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.

Published: 2021-12-07T10:51:39.544Z
Updated: 2025-04-10T14:59:11.832Z

A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject attacker supplied html into a page.

Published: 2021-12-07T10:48:48.897Z
Updated: 2025-04-10T14:59:26.919Z

A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application.

Published: 2021-07-10T14:23:45.846Z
Updated: 2025-04-10T15:00:53.604Z

A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.

Published: 2021-07-10T14:26:11.746Z
Updated: 2025-04-10T15:00:45.264Z

A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may allow a remote authenticated attacker to pass and store malicious strings in the ArcGIS Services Directory.

Published: 2021-07-11T01:11:36.814Z
Updated: 2025-04-10T15:00:38.088Z

A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated attacker to pass and store malicious strings in the ArcGIS Server Manager application.

Published: 2021-07-11T01:39:41.853Z
Updated: 2025-04-10T15:00:11.879Z

A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince a user to click on a crafted link which could potentially execute arbitrary JavaScript code in the user’s browser.

Published: 2021-07-11T01:16:28.826Z
Updated: 2025-04-10T15:00:29.311Z

A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET requests to arbitrary URLs from the system, potentially leading to network enumeration or facilitating other attacks.

Published: 2021-07-11T01:28:15.394Z
Updated: 2025-04-10T15:00:22.287Z

A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets). Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this issue.

Published: 2021-06-07T11:47:19.951Z
Updated: 2025-04-10T15:01:07.559Z

Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.

Published: 2021-03-25T20:34:59.374Z
Updated: 2024-09-16T21:02:24.653Z

Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.

Published: 2021-03-25T20:33:20.321Z
Updated: 2024-09-16T16:59:12.551Z

A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.

Published: 2021-03-25T20:32:06.303Z
Updated: 2024-09-17T02:01:25.468Z

Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations.

Published: 2020-12-25T23:46:36.000Z
Updated: 2024-08-04T17:09:15.150Z

Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Desktop, ArcGIS for Engine, and ArcGIS for Server 10.2.2 and earlier allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Published: 2015-07-08T15:00:00.000Z
Updated: 2024-09-16T19:24:45.891Z

SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via unspecified input to the map or feature service.

Published: 2013-12-30T02:00:00.000Z
Updated: 2024-09-16T22:50:26.590Z