Esri Arcgis
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Esri Arcgis.
By the Year
In 2026 there have been 0 vulnerabilities in Esri Arcgis. Last year, in 2025 Arcgis had 2 security vulnerabilities published. Right now, Arcgis is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 2 | 4.75 |
| 2024 | 1 | 8.50 |
| 2023 | 2 | 4.75 |
| 2022 | 0 | 0.00 |
| 2021 | 5 | 7.20 |
It may take a day or so for new Arcgis vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Esri Arcgis Security Vulnerabilities
HTML Injection via Unsanitized Input in Esri ArcGIS WB Dev Ed <2.30
CVE-2025-67712
4.7 - Medium
- December 19, 2025
There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript execution, which limits the impact. At the time of submission, ArcGIS Web App Builder developer edition is retired and unsupported. ArcGIS Web App Builder 2.30 is not susceptible to this vulnerability.
XSS
Esri Portal for ArcGIS Enterprise Sites XSS in File Upload (v10.9.1/11.4)
CVE-2025-55107
4.8 - Medium
- August 21, 2025
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victims browser. The privileges required to execute this attack are high. The attack could disclose a privileged token which may result in the attacker gaining full control of the Portal.
XSS
Improper Auth Esri Portal ArcGIS <=11.2 Home App RUA Vulnerability
CVE-2024-25699
8.5 - High
- April 04, 2024
There is a difficulttoexploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and below on Windows and Linux, and ArcGIS Enterprise versions 11.1 and below on Kubernetes, which under unique circumstances could allow a remote, authenticated attacker with lowprivileged access to compromise the confidentiality, integrity, and availability of the software. Successful exploitation allows the attacker to cross an authentication and authorization boundary beyond their originally assigned access, resulting in a scope change.
authentification
ArcGIS Server XSS via Feature Services <11.0 (CVE-2023-25841)
CVE-2023-25841
6.1 - Medium
- July 21, 2023
There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 11.0 and below on Windows and Linux platforms that may allow a remote, unauthenticated attacker to create crafted content which when clicked could potentially execute arbitrary JavaScript code in the victims browser. Mitigation: Disable anonymous access to ArcGIS Feature services with edit capabilities.
XSS
ArcGIS Server <11.1 Authenticated XSS via Crafted Hover Link
CVE-2023-25840
3.4 - Low
- July 21, 2023
There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker to create a crafted link which onmouseover wont execute but could potentially render an image in the victims browser. The privileges required to execute this attack are high.
XSS
A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier)
CVE-2021-29093
6.8 - Medium
- March 25, 2021
A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.
Dangling pointer
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier)
CVE-2021-29094
6.8 - Medium
- March 25, 2021
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.
Classic Buffer Overflow
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier)
CVE-2021-29095
6.8 - Medium
- March 25, 2021
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated attacker with specialized permissions to achieve arbitrary code execution in the context of the service account.
Access of Uninitialized Pointer
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier)
CVE-2021-29097
7.8 - High
- March 25, 2021
Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Buffer Overflow
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier)
CVE-2021-29098
7.8 - High
- March 25, 2021
Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.
Access of Uninitialized Pointer
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Esri Arcgis or by Esri? Click the Watch button to subscribe.
