ESRI has released an urgent security patch for ArcGIS Server, which addresses multiple critical vulnerabilities affecting versions 12.0 and prior. The most severe flaw, identified as CVE-2026-9181, is a high-severity directory traversal vulnerability with a CVSS score of 9.8, allowing unauthorized attackers to exploit the system by accessing restricted files. Another vulnerability noted is CVE-2026-9182, a medium-severity unrestricted file upload flaw that could let attackers inject malicious code.
Administrators are urged to implement the patch within two weeks or use Web Application Firewalls (WAFs) as a temporary measure to mitigate risks.