ArcGIS Server <= 12.0 Multiple Vulnerabilities (Security 2026 Update 2)

critical Nessus Plugin ID 325895

Synopsis

The remote web server is affected by multiple vulnerabilities.

Description

The version of ArcGIS Server installed on the remote host is 12.0 or prior. It is, therefore, affected by multiple vulnerabilities:

- ArcGIS Server contains a directory traversal vulnerability. An unauthenticated attacker could exploit this issue by sending crafted path parameters. Successful exploitation could allow access to sensitive files on the system.
(CVE-2026-9181)

- ArcGIS Server contains an unrestricted file upload vulnerability. An unauthenticated attacker could exploit this issue by uploading a crafted file to the affected endpoint. Successful exploitation could allow arbitrary file upload. (CVE-2026-9182)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Apply the ArcGIS Server Security 2026 Update 2 Patch.

See Also

http://www.nessus.org/u?24940643

Plugin Details

Severity: Critical

ID: 325895

File Name: arcgis_server_2026_update_2.nasl

Version: 1.2

Type: Remote

Family: CGI abuses

Published: 7/9/2026

Updated: 7/10/2026

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.7

Percentile: 96.44

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-9182

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:esri:arcgis_server

Required KB Items: installed_sw/ArcGIS Server, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 5/27/2026

Vulnerability Publication Date: 5/27/2026

Reference Information

CVE: CVE-2026-9181, CVE-2026-9182