Every CVE whose affected-product data names Esri Arcgis Server, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (69)
CVE-2025-57870 — CVSS 10.0 (critical): A SQL Injection vulnerability exists in Esri ArcGIS Server versions 11.3, 11.4 and 11.5 on Windows, Linux and Kubernetes. This…
CVE-2026-9181 — CVSS 9.8 (critical): ArcGIS Server contains a directory traversal vulnerability. An unauthenticated attacker could exploit this issue by sending crafted path…
CVE-2021-29114 — CVSS 9.8 (critical): A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthenticated attacker…
CVE-2021-29102 — CVSS 9.1 (critical): A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote, unauthenticated…
CVE-2024-51962 — CVSS 8.7 (high): A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that could lead to SQL…
CVE-2024-51954 — CVSS 8.5 (high): There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under unique circumstances…
CVE-2022-38202 — CVSS 7.5 (high): There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Successful exploitation may allow a remote…
CVE-2024-51961 — CVSS 7.5 (high): There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated attacker to craft a…
CVE-2013-7232 — CVSS 7.5 (high): SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL commands via…
CVE-2021-29093 — CVSS 6.8 (medium): A use-after-free vulnerability when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an authenticated…
CVE-2021-29095 — CVSS 6.8 (medium): Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an…
CVE-2021-29094 — CVSS 6.8 (medium): Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and earlier) allows an…
CVE-2012-4949 — CVSS 6.5 (medium): SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via the where parameter…
CVE-2022-38196 — CVSS 6.5 (medium): Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service by allowing a…
CVE-2022-38195 — CVSS 6.1 (medium): There is as reflected cross site scripting issue in Esri ArcGIS Server versions 10.9.1 and below which may allow a remote unauthorized…
CVE-2022-38197 — CVSS 6.1 (medium): Esri ArcGIS Server versions 10.9.1 and below have an unvalidated redirect issue that may allow a remote, unauthenticated attacker to phish…
CVE-2022-38198 — CVSS 6.1 (medium): There is a reflected cross site scripting issue in the Esri ArcGIS Server services directory versions 10.9.1 and below that may allow a…
CVE-2022-38199 — CVSS 6.1 (medium): A remote file download issue can occur in some capabilities of Esri ArcGIS Server web services that may in some edge cases allow a remote…
CVE-2022-38200 — CVSS 6.1 (medium): A cross site scripting vulnerability exists in some map service configurations of ArcGIS Server versions 10.8.1 and 10.7.1. Specifically…
CVE-2021-29116 — CVSS 6.1 (medium): A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server feature services versions 10.8.1 and 10.9 (only) feature services…
CVE-2025-67709 — CVSS 6.1 (medium): There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows…
CVE-2025-67710 — CVSS 6.1 (medium): There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows…
CVE-2021-29103 — CVSS 6.1 (medium): A reflected Cross Site Scripting (XXS) vulnerability in ArcGIS Server version 10.8.1 and below may allow a remote attacker able to convince…
CVE-2021-29104 — CVSS 6.1 (medium): A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated…
CVE-2021-29106 — CVSS 6.1 (medium): A reflected Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server version 10.8.1 and below may allow a remote attacker able to…
CVE-2021-29107 — CVSS 6.1 (medium): A stored Cross Site Scripting (XXS) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote unauthenticated…
CVE-2025-67708 — CVSS 6.1 (medium): There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows…
CVE-2025-67711 — CVSS 6.1 (medium): There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows…
CVE-2023-25841 — CVSS 6.1 (medium): There is a stored Cross-site Scripting vulnerability in Esri ArcGIS Server versions 11.0 and below on Windows and Linux platforms that may…
CVE-2025-67705 — CVSS 6.1 (medium): There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows…
CVE-2025-67704 — CVSS 6.1 (medium): There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows…
CVE-2025-67703 — CVSS 6.1 (medium): There is a stored cross site scripting issue in Esri ArcGIS Server 11.4 and earlier on Windows and Linux that in some configurations allows…
CVE-2014-5122 — CVSS 5.8 (medium): Open redirect vulnerability in ESRI ArcGIS for Server 10.1.1 allows remote attackers to redirect users to arbitrary web sites and conduct…
CVE-2025-67707 — CVSS 5.6 (medium): ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated…
CVE-2025-67706 — CVSS 5.6 (medium): ArcGIS Server versions 11.5 and earlier on Windows and Linux do not sufficiently validate uploaded files, enabling a remote unauthenticated…
CVE-2021-29105 — CVSS 5.4 (medium): A stored Cross Site Scripting (XSS) vulnerability in Esri ArcGIS Server Services Directory version 10.8.1 and below may allow a remote…
CVE-2026-9182 — CVSS 5.3 (medium): ArcGIS Server contains an unrestricted file upload vulnerability. An unauthenticated attacker could exploit this issue by uploading a…
CVE-2021-29099 — CVSS 5.3 (medium): A SQL injection vulnerability exists in some configurations of ArcGIS Server versions 10.8.1 and earlier. Specially crafted web requests…
CVE-2023-25848 — CVSS 5.3 (medium): ArcGIS Enterprise Server versions 11.0 and below have an information disclosure vulnerability where a remote, unauthorized attacker may…
CVE-2026-2812 — CVSS 5.3 (medium): ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint. An unauthenticated attacker…
CVE-2024-51958 — CVSS 4.9 (medium): There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote…
CVE-2024-51966 — CVSS 4.9 (medium): There is a path traversal vulnerability in ESRI ArcGIS Server versions 11.3 and below. Successful exploitation may allow a remote…
CVE-2024-51953 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51949 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51956 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51957 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51959 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51960 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51948 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51947 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51963 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and follow that may allow a remote, authenticated…
CVE-2024-5888 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51946 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51945 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51944 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51942 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-10904 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51950 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51952 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2024-51951 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in ArcGIS Server for versions 11.3 and below that may allow a remote, authenticated…
CVE-2021-29113 — CVSS 4.7 (medium): A remote file inclusion vulnerability in the ArcGIS Server help documentation may allow a remote, unauthenticated attacker to inject…
CVE-2026-2813 — CVSS 4.7 (medium): ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue…
CVE-2014-5121 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1.1 allow remote attackers to inject arbitrary web script…
CVE-2014-9741 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Desktop, ArcGIS for Engine, and ArcGIS for Server 10.2.2 and earlier…
CVE-2013-5221 — CVSS 3.5 (low): The mobile-upload feature in Esri ArcGIS for Server 10.1 through 10.2 allows remote authenticated users to upload .exe files by leveraging…
CVE-2013-7231 — CVSS 3.5 (low): Cross-site scripting (XSS) vulnerability in the Mobile Content Server in ESRI ArcGIS for Server 10.1 and 10.2 allows remote authenticated…
CVE-2013-5222 — CVSS 3.5 (low): Multiple cross-site scripting (XSS) vulnerabilities in ESRI ArcGIS for Server 10.1 allow remote authenticated users to inject arbitrary web…
CVE-2023-25840 — CVSS 3.4 (low): There is a Cross-site Scripting vulnerability in ArcGIS Server in versions 11.1 and below that may allow a remote, authenticated attacker…