Stored Cross Site Scripting Vulnerability in Esri ArcGIS Server for Windows and Linux
CVE-2025-67711

6.1MEDIUM

Key Information:

Vendor: Esri
Status: Arcgis Server
Vendor: CVE Published:; 31 December 2025

What is CVE-2025-67711?

Esri ArcGIS Server versions up to 11.4 are prone to a stored cross site scripting vulnerability that permits remote unauthenticated attackers to store harmful files containing malicious scripts. These scripts can be executed in the context of a victim's browser, potentially compromising user sessions or gaining unauthorized access to sensitive information. Appropriate measures should be taken to update configurations and implement security patches to mitigate this risk.

Affected Version(s)

ArcGIS Server Windows 10.9.1 <= 11.4

References

https://www.esri.com/arcgis-blog/products/trust-arcgis/ad...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 31, 2025
Vulnerability Reserved
Dec 10, 2025

CVE-2025-67711 Data

JSON