CVE-2026-2813 is a medium-severity issue in ArcGIS Server 11.5’s login redirection workflow. A specially crafted request can cause the browser to navigate to an unintended, untrusted site during authentication, creating a limited confidentiality risk when a user interacts with the flow. The supplied description says the impact stays within the client-side navigation logic and does not lead to server-side [truncated]
CVE-2026-2812 describes an improper authentication issue affecting ArcGIS Server 12.0 and earlier. According to the NVD record, an unauthenticated attacker can send a crafted request to an undocumented administrative endpoint and may disrupt the web-based browsing interface. The vulnerability is rated CVSS 5.3 (medium) and is mapped to CWE-287.
CVE-2026-33519 is a critical incorrect-authorization vulnerability in Esri Portal for ArcGIS. Esri’s April 2026 security bulletin and the NVD record describe a failure to correctly check permissions assigned to developer credentials. The NVD entry rates the issue CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a remotely reachable flaw with potential high impact to confidentiality, integrity, a [truncated]
CVE-2026-33518 is a critical vulnerability in Esri Portal for ArcGIS 11.5 on Windows and Linux. The issue is described as an incorrect privilege assignment that can allow developer credentials to end up with more privileges than expected. NVD rates the flaw as CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), so defenders should treat it as urgent even though the vendor-facing description centers on pri [truncated]