Esri Portal For Arcgis — known CVE vulnerabilities
Every CVE whose affected-product data names Esri Portal For Arcgis, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (73)
CVE-2024-25693 — CVSS 9.9 (critical): There is a path traversal in Esri Portal for ArcGIS versions <= 11.2. Successful exploitation may allow a remote, authenticated attacker to…
CVE-2026-33518 — CVSS 9.8 (critical): An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged…
CVE-2026-33519 — CVSS 9.8 (critical): An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not…
CVE-2025-2538 — CVSS 9.8 (critical): A hardcoded credential vulnerability exists in a specific deployment pattern for Esri Portal for ArcGIS versions 11.4 and below that may…
CVE-2025-4967 — CVSS 9.1 (critical): Esri Portal for ArcGIS 11.4 and prior allows a remote, unauthenticated attacker to bypass the Portal’s SSRF protections.
CVE-2023-25832 — CVSS 8.8 (high): There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.0 and below that may allow an attacker to trick…
CVE-2021-29108 — CVSS 8.8 (high): There is an privilege escalation vulnerability in organization-specific logins in Esri Portal for ArcGIS versions 10.9 and below that may…
CVE-2022-38205 — CVSS 8.6 (high): In some non-default installations of Esri Portal for ArcGIS versions 10.9.1 and below, a directory traversal issue may allow a remote…
CVE-2024-25699 — CVSS 8.5 (high): There is a difficult‑to‑exploit improper authentication issue in the Home application for Esri Portal for ArcGIS versions 11.2 and…
CVE-2023-25837 — CVSS 8.4 (high): There is a Cross‑Site Scripting (XSS) vulnerability in Esri ArcGIS Enterprise Sites versions 10.9 and below that may allow a remote…
CVE-2023-25835 — CVSS 8.4 (high): There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS Sites versions 11.1 and below that may allow a…
CVE-2022-38212 — CVSS 7.5 (high): Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were…
CVE-2022-38184 — CVSS 7.5 (high): There is an improper access control vulnerability in Portal for ArcGIS versions 10.8.1 and below which could allow a remote…
CVE-2024-38040 — CVSS 7.5 (high): There is a local file inclusion vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker to…
CVE-2022-38187 — CVSS 7.5 (high): Prior to version 10.9.0, the sharing/rest/content/features/analyze endpoint is always accessible to anonymous users, which could allow an…
CVE-2022-38211 — CVSS 7.5 (high): Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.9.1 and below were…
CVE-2022-38203 — CVSS 7.5 (high): Protections against potential Server-Side Request Forgery (SSRF) vulnerabilities in Esri Portal for ArcGIS versions 10.8.1 and below were…
CVE-2024-25695 — CVSS 7.2 (high): There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.2 and below that may allow a remote, authenticated…
CVE-2022-38194 — CVSS 6.7 (medium): In Esri Portal for ArcGIS versions 10.8.1, a system property is not properly encrypted. This may lead to a local user reading sensitive…
CVE-2022-38208 — CVSS 6.1 (medium): There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11 and below that may allow a remote, unauthenticated attacker to…
CVE-2021-29109 — CVSS 6.1 (medium): A reflected XSS vulnerability in Esri Portal for ArcGIS version 10.9 and below may allow a remote attacker able to convince a user to click…
CVE-2022-38186 — CVSS 6.1 (medium): There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below which may allow a remote attacker able to…
CVE-2022-38188 — CVSS 6.1 (medium): There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 which may allow a remote attacker able to convince a user…
CVE-2022-38190 — CVSS 6.1 (medium): A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS configurable apps may allow a remote, unauthenticated attacker…
CVE-2022-38191 — CVSS 6.1 (medium): There is an HTML injection issue in Esri Portal for ArcGIS versions 10.9.0 and below which may allow a remote, authenticated attacker to…
CVE-2022-38192 — CVSS 6.1 (medium): A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store…
CVE-2022-38193 — CVSS 6.1 (medium): There is a code injection vulnerability in Esri Portal for ArcGIS versions 10.8.1 and below that may allow a remote, unauthenticated…
CVE-2022-38204 — CVSS 6.1 (medium): There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote, unauthenticated…
CVE-2022-38206 — CVSS 6.1 (medium): There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote remote, unauthenticated…
CVE-2022-38207 — CVSS 6.1 (medium): There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.8.1 and 10.7.1 which may allow a remote remote…
CVE-2022-38209 — CVSS 6.1 (medium): There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated…
CVE-2022-38210 — CVSS 6.1 (medium): There is a reflected HTML injection vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below that may allow a remote…
CVE-2023-25829 — CVSS 6.1 (medium): There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker…
CVE-2023-25830 — CVSS 6.1 (medium): There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and before which may allow a remote, unauthenticated…
CVE-2023-25831 — CVSS 6.1 (medium): There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1and below which may allow a remote, unauthenticated…
CVE-2024-25691 — CVSS 6.1 (medium): There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 and below which may allow a remote, unauthenticated attacker…
CVE-2024-25698 — CVSS 6.1 (medium): There is a reflected cross site scripting vulnerability in the home application in Esri Portal for ArcGIS 11.1 and below on Windows and…
CVE-2024-25706 — CVSS 6.1 (medium): There is an HTML injection vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker to…
CVE-2024-25709 — CVSS 6.1 (medium): There is a stored Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.2 and below that may allow a remote…
CVE-2024-38037 — CVSS 6.1 (medium): There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.0 and below that may allow a remote, unauthenticated attacker…
CVE-2024-38038 — CVSS 6.1 (medium): There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 which may allow a remote, unauthenticated attacker to create…
CVE-2024-8148 — CVSS 6.1 (medium): There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.2 and below that may allow a remote, unauthenticated attacker…
CVE-2025-57872 — CVSS 6.1 (medium): There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker…
CVE-2025-57878 — CVSS 6.1 (medium): There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker…
CVE-2025-57879 — CVSS 6.1 (medium): There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker…
CVE-2023-25836 — CVSS 5.4 (medium): There is a Cross-site Scripting vulnerability in Esri Portal for ArcGIS Sites in versions 10.9 and below that may allow a remote…
CVE-2022-38189 — CVSS 5.4 (medium): A stored Cross Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS may allow a remote, authenticated attacker to pass and store…
CVE-2024-25705 — CVSS 5.4 (medium): There is a cross‑site scripting (XSS) vulnerability in Esri Portal for ArcGIS Experience Builder versions 11.1 and below on Windows and…
CVE-2023-25834 — CVSS 5.4 (medium): Changes to user permissions in Portal for ArcGIS 10.9.1 and below are incompletely applied in specific use cases. This issue may allow…
CVE-2021-29110 — CVSS 5.4 (medium): Stored cross-site scripting (XSS) issue in Esri Portal for ArcGIS may allow a remote unauthenticated attacker to pass and store malicious…
CVE-2023-25833 — CVSS 5.4 (medium): There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker…
CVE-2024-25692 — CVSS 5.4 (medium): There is a cross-site-request forgery vulnerability in Esri Portal for ArcGIS Versions 11.1 and below that may in some cases allow a…
CVE-2024-38036 — CVSS 5.4 (medium): There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 10.9.1 and below which may allow a remote, unauthenticated…
CVE-2024-25697 — CVSS 5.4 (medium): There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.1 and below that may allow a remote, authenticated…
CVE-2024-38039 — CVSS 5.4 (medium): There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.0 and below that may allow a remote, authenticated attacker…
CVE-2025-57871 — CVSS 4.8 (medium): There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated…
CVE-2024-25694 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise versions 11.1 and below that may allow a remote…
CVE-2024-25696 — CVSS 4.8 (medium): There is a Cross-site Scripting vulnerability in Portal for ArcGIS in versions 11.0 and below that may allow a remote, authenticated…
CVE-2025-57873 — CVSS 4.8 (medium): There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated…
CVE-2025-55105 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a…
CVE-2024-25707 — CVSS 4.8 (medium): There is a reflected cross site scripting in Esri Portal for ArcGIS 11.1 and below on Windows and Linux x64 allows a remote authenticated…
CVE-2025-57875 — CVSS 4.8 (medium): There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated…
CVE-2025-57876 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated…
CVE-2025-57877 — CVSS 4.8 (medium): There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated…
CVE-2025-55103 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a…
CVE-2025-55104 — CVSS 4.8 (medium): A stored cross-site scripting (XSS) vulnerability exists ArcGIS HUB and ArcGIS Enterprise Sites which allows an authenticated user with the…
CVE-2025-57874 — CVSS 4.8 (medium): There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated…
CVE-2025-55106 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a…
CVE-2025-55107 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a…
CVE-2024-25701 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Experience Builder versions 11.1 and below that…
CVE-2024-25702 — CVSS 4.8 (medium): There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 11.1 and below that may allow a…
CVE-2024-25690 — CVSS 4.7 (medium): There is an HTML injection vulnerability in Esri Portal for ArcGIS versions 11.1 and below that may allow a remote, unauthenticated…
CVE-2024-8149 — CVSS 4.6 (medium): There is a reflected Cross‑Site Scripting (XSS) vulnerability in Esri Portal for ArcGIS versions 11.1 and 11.2 that may allow a remote…