cbcvebase.

Esri Arcgis Server vulnerabilities

68 known vulnerabilities affecting esri/arcgis_server.

Total CVEs
68
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL4HIGH6MEDIUM54LOW4

Vulnerabilities

Page 1 of 4
CVE-2025-57870P2CRITICALCVSS 10.0≥ 11.3, ≤ 11.52025-10-22
CVE-2025-57870 [CRITICAL] CWE-89 CVE-2025-57870: A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary SQL commands via a specific ArcGIS Feature Service operation. Successful exploitation can potentially result in unauthorized access, modification,
nvd
CVE-2012-4949P3MEDIUMCVSS 6.5PoCv10.12012-11-14
CVE-2012-4949 [MEDIUM] CWE-89 CVE-2012-4949: SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitra SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via the where parameter to a query URI for a REST service.
nvd
CVE-2021-29114P2CRITICALCVSS 9.8≤ 10.9.0≥ All, < 10.9.02021-12-07
CVE-2021-29114 [CRITICAL] CWE-89 CVE-2021-29114: A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allo A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confidentiality, integrity and availability of targeted services via specifically crafted queries.
nvd
CVE-2021-29102P2CRITICALCVSS 9.1fixed in 10.9.0≥ All, < 10.9.02021-07-11
CVE-2021-29102 [CRITICAL] CWE-918 CVE-2021-29102: A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET requests to arbitrary URLs from the system, potentially leading to network enumeration or facilitating other attacks.
nvd
CVE-2024-51954P3HIGHCVSS 8.5≥ 10.9.1, ≤ 11.3≥ all, ≤ 11.32025-03-03
CVE-2024-51954 [HIGH] CWE-284 CVE-2024-51954: There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Li There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote, low‑privileged authenticated attacker to access secure services published to a standalone (unfederated) ArcGIS Server instance. Successful exploitation results in unauthorized access to protec
nvd
CVE-2020-35712P3CRITICALCVSS 9.8fixed in 10.82020-12-26
CVE-2020-35712 [CRITICAL] CWE-918 CVE-2020-35712: Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations. Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations.
nvd
CVE-2024-51962P3HIGHCVSS 8.7≥ 10.9.1, ≤ 11.3≥ all, ≤ 11.32025-03-03
CVE-2024-51962 [HIGH] CWE-89 CVE-2024-51962: A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed by a remote authenticated user requiring elevated, non‑administrative privileges. Exploitation is restricted to users with advanced application‑specific permissions, indicating high privileges ar
nvd
CVE-2022-38202P3HIGHCVSS 7.5≤ 10.9.1≥ 11.0, ≤ all2022-12-28
CVE-2022-38202 [HIGH] CWE-23 CVE-2022-38202: There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker traverse the file system to access files outside of the intended directory on ArcGIS Server. This could lead to the disclosure of sensitive site configuration information (not user datasets).
nvd
CVE-2024-51961P3HIGHCVSS 7.5≥ 10.9.1, ≤ 11.3≥ all, ≤ 11.32025-03-03
CVE-2024-51961 [HIGH] CWE-73 CVE-2024-51961: There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remot There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could potentially disclose sensitive configuration information by reading internal files from the remote server. Due to the nature of the files accessible in this vulnerability the impact to confidentiality
nvd
CVE-2022-38196P3HIGHCVSS 8.1≤ 10.9.1≥ All, ≤ 10.9.12022-10-25
CVE-2022-38196 [HIGH] CWE-22 CVE-2022-38196: Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated attacker to overwrite internal ArcGIS Server directory.
nvd
CVE-2013-7232P3HIGHCVSS 7.5≤ 10.22013-12-30
CVE-2013-7232 [HIGH] CWE-89 CVE-2013-7232: SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execut SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via unspecified input to the map or feature service.
nvd
CVE-2025-67706P3MEDIUMCVSS 5.6≤ 11.5≥ 10.9.1, ≤ 11.42025-12-31
CVE-2025-67706 [MEDIUM] CWE-434 CVE-2025-67706: ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded f ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and preven
nvd
CVE-2025-67707P3MEDIUMCVSS 5.6≤ 11.5≥ 10.9.1, ≤ 11.52025-12-31
CVE-2025-67707 [MEDIUM] CWE-434 CVE-2025-67707: ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded f ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated attacker to upload arbitrary files to the server’s designated upload directories. However, the server’s architecture enforces controls that restrict uploaded files to non‑executable storage locations and preven
nvd
CVE-2026-2812P3MEDIUMCVSS 5.3≥ 11.1, ≤ 12.02026-05-20
CVE-2026-2812 [MEDIUM] CWE-287 CVE-2026-2812: ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative en ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker could exploit this issue by sending a crafted request to the endpoint. Successful exploitation may result in disruption of the web-based browsing interface. This issue affects ArcGIS Server 12.0 and earlier.
nvd
CVE-2021-29095P4MEDIUMCVSS 6.8≤ 10.8.1≥ 10.8.1, < 10.92021-03-25
CVE-2021-29095 [MEDIUM] CWE-824 CVE-2021-29095: Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.
nvd
CVE-2021-29094P4MEDIUMCVSS 6.8≤ 10.8.1≥ All, ≤ 10.9.02021-03-25
CVE-2021-29094 [MEDIUM] CWE-120 CVE-2021-29094: Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.
nvd
CVE-2021-29093P4MEDIUMCVSS 6.8≤ 10.8.1≥ All, ≤ 10.92021-03-25
CVE-2021-29093 [MEDIUM] CWE-416 CVE-2021-29093: A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (a A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.
nvd
CVE-2022-38197P4MEDIUMCVSS 6.1≤ 10.9.1≥ All, ≤ 10.9.12022-10-25
CVE-2022-38197 [MEDIUM] CWE-601 CVE-2022-38197: Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a rem Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish a user into accessing an attacker controlled website via a crafted query parameter.
nvd
CVE-2021-29099P4MEDIUMCVSS 5.3≤ 10.8.1≥ 10.8.1, < 10.9.02021-06-07
CVE-2021-29099 [MEDIUM] CWE-89 CVE-2021-29099: A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and ear A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests can expose information that is not intended to be disclosed (not customer datasets). Web Services that use file based data sources (file Geodatabase or Shape Files or tile cached services) are unaffected by this iss
nvd
CVE-2022-38199P4MEDIUMCVSS 6.1v10.7.1v10.8.1+2 more2022-10-25
CVE-2022-38199 [MEDIUM] CWE-494 CVE-2022-38199: A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a remote, unauthenticated attacker to induce an unsuspecting victim to launch a process in the victim's PATH environment. Current browsers provide users with warnings against running unsigned executables downloaded from the
nvd
Esri Arcgis Server vulnerabilities | cvebase