PatchSiren

Esri CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Esri CVE published 2026-05-20

CVE-2026-2813

CVE-2026-2813 is a medium-severity issue in ArcGIS Server 11.5’s login redirection workflow. A specially crafted request can cause the browser to navigate to an unintended, untrusted site during authentication, creating a limited confidentiality risk when a user interacts with the flow. The supplied description says the impact stays within the client-side navigation logic and does not lead to server-side [truncated]

MEDIUM Esri CVE published 2026-05-20

CVE-2026-2812

CVE-2026-2812 describes an improper authentication issue affecting ArcGIS Server 12.0 and earlier. According to the NVD record, an unauthenticated attacker can send a crafted request to an undocumented administrative endpoint and may disrupt the web-based browsing interface. The vulnerability is rated CVSS 5.3 (medium) and is mapped to CWE-287.

CRITICAL Esri CVE published 2026-04-21

CVE-2026-33519

CVE-2026-33519 is a critical incorrect-authorization vulnerability in Esri Portal for ArcGIS. Esri’s April 2026 security bulletin and the NVD record describe a failure to correctly check permissions assigned to developer credentials. The NVD entry rates the issue CVSS 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating a remotely reachable flaw with potential high impact to confidentiality, integrity, a [truncated]

CRITICAL Esri CVE published 2026-04-21

CVE-2026-33518

CVE-2026-33518 is a critical vulnerability in Esri Portal for ArcGIS 11.5 on Windows and Linux. The issue is described as an incorrect privilege assignment that can allow developer credentials to end up with more privileges than expected. NVD rates the flaw as CVSS 3.1 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), so defenders should treat it as urgent even though the vendor-facing description centers on pri [truncated]