CVE-2026-2813
4.7 MEDIUMArcGIS Server contains an input validation weakness in the login redirection workflow
Published: 2026-05-20 · Last updated: 2026-05-21
Severity and scoring
- CVSS
- 4.7 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
- CWE
- CWE-601
Affected products
| Vendor | Product |
|---|---|
| esri | arcgis_server |
Description
ArcGIS Server contains an input validation weakness in the login redirection workflow. An Authenticated attacker could exploit this issue by sending a specially crafted request, Successful exploitation may result in the application redirecting the browser to an unintended, untrusted site, resulting in a limited confidentiality impact under specific user interaction conditions. The vulnerability affects only the client side navigation logic during authentication and remains confined to the same security boundary. No server side compromise or cross component impact is possible. This issue affects ArcGIS Server 11.5.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-2812 — ArcGIS Server contains an improper authentication vulnerability in an undocumented administrative endpoint (5.3 MEDIUM)
- CVE-2026-33519 — An incorrect authorization vulnerability exists in Esri Portal for ArcGIS 11.4, 11.5 and 12.0 on Windows, Linux and Kubernetes that did n... (9.8 CRITICAL)
- CVE-2026-33518 — An incorrect privilege assignment vulnerability exists in Esri Portal for ArcGIS 11.5 in Windows and Linux that allows highly privileged ... (9.8 CRITICAL)
Same CWE
- CVE-2026-53523 — Nezha Monitoring is a self-hostable, lightweight, servers and websites monitoring and O&M tool (6.8 MEDIUM)
- CVE-2026-50089 — The Aqara IAM/SSO Gateway (gw-builder.aqara.com) provides an open redirect, which is an instance of "CWE-601: URL Redirection to Untruste... (6.1 MEDIUM)
- CVE-2026-46616 — Umbraco is an ASP.NET CMS (5.4 MEDIUM)
- CVE-2026-48856 — Sensitive Data Exposure vulnerability in Erlang OTP inets (httpc_response module) allows Retrieve Embedded Sensitive Data
- CVE-2026-45566 — Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (6.1 MEDIUM)