31 matches found
CVE-2026-13019
Esri Portal for ArcGIS versions 12.1 and earlier on Windows, Linux and Kubernetes have a missing authentication for critical function vulnerability allows a remote, unauthenticated attacker to access an unprotected API...
PT-2026-56205
Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions prior to 12.2 Description A weak password recovery mechanism for forgotten passwords allows a remote, unauthorized attacker to assume ownership of a user account by manipulating the recovery process...
PT-2026-56204
Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions prior to 12.2 Description Esri Portal for ArcGIS on Windows, Linux, and Kubernetes contains a flaw where a critical function lacks proper authentication. This allows a remote, unauthenticated attacker to access ...
Esri Portal for ArcGIS 11.5 < Security 2026 Update 1 Incorrect Privilege Assignment (CVE-2026-33518)
The version of Esri Portal for ArcGIS 11.5 installed is missing Security 2026 Update 1. It is, therefore, affected by a vulnerability: - An incorrect privilege assignment vulnerability exists in Portal for ArcGIS that allows highly privileged users to create developer credentials that may grant...
EUVD-2026-24339
An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did not correctly check permissions assigned to developer credentials...
PT-2026-33362
Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions 11.4 through 12.0 Description An incorrect authorization issue exists where the system fails to correctly check permissions assigned to developer credentials. This flaw allows low-privilege users to generate...
EUVD-2025-31601
Malicious code in bioql PyPI...
CVE-2025-57876
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The...
CVE-2025-57871
There is a reflected cross site scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote authenticated attacker with administrative access to supply a crafted string which would execute arbitrary JavaScript code in the browser...
CVE-2025-57877
CVE-2025-57877 affects Esri Portal for ArcGIS
CVE-2025-57878 BUG-000174149 - The Portal for ArcGIS has an unvalidated redirect.
There is an unvalidated redirect vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, unauthenticated attacker to craft a URL that could redirect a victim to an arbitrary website, simplifying phishing attacks...
CVE-2025-57879
The CVE-2025-57879 entry concerns Esri Portal for ArcGIS 11.4 and earlier with an unvalidated redirect vulnerability. The root cause is a URL manipulation/redirect flaw that can enable a remote, unauthenticated attacker to craft a link directing a victim to an arbitrary site, potentially aiding p...
CVE-2025-57876 Stored XSS vulnerability in Portal for ArcGIS
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS 11.4 and below that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in the victim’s browser. The...
PT-2025-39862
Name of the Vulnerable Software and Affected Versions Esri Portal for ArcGIS versions 11.4 and below Description A reflected cross site scripting issue exists that could allow a remote authenticated attacker with administrative access to execute arbitrary JavaScript code in the browser by supplyi...
CVE-2025-55106 BUG-000173171 ArcGIS Enterprise Sites has a Cross-site Scripting vulnerability.
There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in th...
The vulnerability of the Portal for ArcGIS web portal, related to the lack of measures taken to protect the structure of the web page, allows attackers to carry out cross-site scripting attacks.
The vulnerability of the Portal for ArcGIS is related to the lack of measures taken to protect the structure of the web page. Exploiting this vulnerability allows a malicious actor to perform cross-site scripting attacks using a specially created web page...
The vulnerability of the Portal for ArcGIS web portal, related to the lack of protective measures for the website structure, allows attackers to carry out cross-site scripting attacks and gain full control over the application.
The vulnerability of the Portal for ArcGIS is related to the lack of measures taken to protect the web page structure. Exploiting this vulnerability allows a malicious actor to perform cross-site scripting attacks and gain full control over the application through a specially created web page...
The vulnerability of the Portal for ArcGIS web portal, related to the lack of measures taken to protect the structure of the web page, allows attackers to carry out cross-site scripting attacks.
The vulnerability of the Portal for ArcGIS is related to the lack of measures taken to protect the structure of the web page. Exploiting this vulnerability allows a malicious actor to perform cross-site scripting attacks using a specially created web page...
CVE-2024-38038
There is a reflected XSS vulnerability in Esri Portal for ArcGIS versions 11.1 which may allow a remote, unauthenticated attacker to create a crafted link which when clicked could potentially execute arbitrary JavaScript code in the victim’s browser...
Vulnerabilities fixed in Esri Arcgis Portal
Esri has fixed vulnerabilities in Arcgis Portal. A malicious party could exploit the vulnerabilities to launch a Cross-Site Scripting attack, or perform a Cross-Site-Request-Forgery execution. Such attacks can lead to execution of arbitrary code in the victim's browser, or access to sensitive dat...