Esri Arcgis Server
56 CVEs affecting Esri Arcgis Server. Latest disclosed: 2026-05-20. Critical: 2, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-57870 | Critical | 10.0 | 2025-10-22 | A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This vulnerability allows a remote, u… |
CVE-2021-29102 | Critical | 9.1 | 2021-07-11 | A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated attacker to forge GET… |
CVE-2024-51962 | High | 8.7 | 2025-03-03 | A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL injection when performed… |
CVE-2024-51954 | High | 8.5 | 2025-03-03 | There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances, could allow a remote… |
CVE-2024-51961 | High | 7.5 | 2025-03-03 | There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a URL that could poten… |
CVE-2022-38202 | High | 7.5 | 2022-12-28 | There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote, unauthenticated attacker t… |
CVE-2021-29114 | High | 7.3 | 2021-12-07 | A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker to impact the confide… |
CVE-2022-38196 | Medium | 6.5 | 2022-10-25 | Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a remote, authenticated att… |
CVE-2021-29095 | Medium | 6.4 | 2021-03-25 | Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacke… |
CVE-2021-29094 | Medium | 6.4 | 2021-03-25 | Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with… |
CVE-2021-29093 | Medium | 6.4 | 2021-03-25 | A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specializ… |
CVE-2025-67711 | Medium | 6.1 | 2025-12-31 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenti… |
CVE-2025-67710 | Medium | 6.1 | 2025-12-31 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenti… |
CVE-2025-67709 | Medium | 6.1 | 2025-12-31 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenti… |
CVE-2025-67708 | Medium | 6.1 | 2025-12-31 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenti… |
CVE-2025-67705 | Medium | 6.1 | 2025-12-31 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenti… |
CVE-2025-67704 | Medium | 6.1 | 2025-12-31 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenti… |
CVE-2025-67703 | Medium | 6.1 | 2025-12-31 | There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows a remote unauthenti… |
CVE-2022-38195 | Medium | 6.1 | 2022-10-25 | There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized attacker able to convinc… |
CVE-2022-38197 | Medium | 6.1 | 2022-10-25 | Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish a user into accessin… |