Skip to main content

ArcGIS Server EUVDEUVD-2026-41896

| CVE-2026-9182 CRITICAL
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-07-06 Esri GHSA-xj4c-7w4q-9gwv
9.8
CVSS 3.1 · Vendor: Esri
Share

Severity by source

Vendor (Esri) PRIMARY
9.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Unauthenticated remote upload to a network endpoint (AV:N/AC:L/PR:N/UI:N); CWE-434 file upload plausibly yields server compromise, so C/I/A:H, though execution is inferred not confirmed.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Esri).

CVSS VectorVendor: Esri

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jul 08, 2026 - 03:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 08, 2026 - 03:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 08, 2026 - 03:22 vuln.today
cvss_changed
Severity Changed
Jul 08, 2026 - 03:22 NVD
MEDIUM CRITICAL
CVSS changed
Jul 08, 2026 - 03:22 NVD
5.3 (MEDIUM) 9.8 (CRITICAL)
Analysis Generated
Jul 06, 2026 - 19:31 vuln.today

DescriptionCVE.org

ArcGIS Server contains an unrestricted file upload vulnerability. An unauthenticated attacker could exploit this issue by uploading a crafted file to the affected endpoint. Successful exploitation could allow arbitrary file upload.

AnalysisAI

Unrestricted file upload in Esri ArcGIS Server (all versions through 12.0) lets a remote, unauthenticated attacker push arbitrary files to an exposed administrative/upload endpoint, per CVSS PR:N. Esri self-reported the flaw (CWE-434) and rates it critical (CVSS 9.8), and successful upload of an executable payload can lead to full server compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed ArcGIS Server endpoint
Delivery
Send crafted unauthenticated upload request
Exploit
Bypass file-type validation (CWE-434)
Execution
Write malicious file to server
Persist
Execute payload / web shell
Impact
Full server compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the specific ArcGIS Server upload/administrative endpoint that handles file uploads; per CVSS PR:N/UI:N, no authentication and no user interaction are needed against a reachable instance. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker scans for internet-exposed ArcGIS Server instances and sends a crafted HTTP request to the vulnerable upload endpoint with no credentials, placing a malicious file (e.g., a server-executable web shell) onto the host. Because the vector is AV:N/AC:L/PR:N/UI:N, this requires only network reachability and a single request; if the uploaded file lands in an executable context, the attacker gains code execution and pivots to full server control. …
Remediation Apply the fix per vendor advisory: consult Esri's May 2026 ArcGIS security bulletin (https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/may-2026-arcgis-security-bulletin) and upgrade to the patched ArcGIS Server release Esri specifies-an exact fixed version number is not provided in the available data, so verify it directly against that bulletin (patch available per vendor advisory). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Esri ArcGIS Server instances across versions through 12.0; immediately restrict network access to administrative/upload endpoints via firewall rules; enable detailed audit logging of all upload activities. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2012-4949 MEDIUM POC
6.5 Nov 14

SQL injection vulnerability in ESRI ArcGIS 10.1 allows remote authenticated users to execute arbitrary SQL commands via

CVE-2021-29114 CRITICAL
9.8 Dec 07

A SQL injection vulnerability in feature services provided by Esri ArcGIS Server 10.9 and below allows a remote, unauthe

CVE-2020-35712 CRITICAL
9.8 Dec 26

Esri ArcGIS Server before 10.8 is vulnerable to SSRF in some configurations. Rated critical severity (CVSS 9.8), this vu

CVE-2021-29102 CRITICAL
9.1 Jul 11

A Server-Side Request Forgery (SSRF) vulnerability in ArcGIS Server Manager version 10.8.1 and below may allow a remote,

CVE-2024-51962 HIGH
8.7 Mar 03

A SQL injection vulnerability in ArcGIS Server allows an EDIT operation to modify column properties in a manner that cou

CVE-2024-51954 HIGH
8.5 Mar 03

There is an improper access control issue in ArcGIS Server versions 11.3 and below on Windows and Linux which, under uni

CVE-2022-38196 HIGH
8.1 Oct 25

Esri ArcGIS Server versions 10.9.1 and prior have a path traversal vulnerability that may result in a denial of service

CVE-2026-9181 HIGH
7.5 Jul 06

Unauthenticated file disclosure in Esri ArcGIS Server (all versions 12.0 and prior) lets remote attackers read sensitive

CVE-2013-7232 HIGH
7.5 Dec 30

SQL injection vulnerability in ESRI ArcGIS for Server through 10.2 allows remote attackers to execute arbitrary SQL comm

CVE-2024-51961 HIGH
7.5 Mar 03

There is a local file inclusion vulnerability in ArcGIS Server 11.3 and below that may allow a remote, unauthenticated a

CVE-2022-38202 HIGH
7.5 Dec 28

There is a path traversal vulnerability in Esri ArcGIS Server versions 10.9.1 and below. Rated high severity (CVSS 7.5),

CVE-2021-29095 MEDIUM
6.8 Mar 25

Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcGIS Server 10.8.1 (and e

Share

EUVD-2026-41896 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy