Esri ArcGIS Web AppBuilder HTML Injection Vulnerability

Vulnerability

A vulnerability allowing HTML injection has been identified in Esri ArcGIS Web AppBuilder Developer Edition, versions prior to 2.30. This issue enables a remote, unauthenticated attacker to potentially lure a user into clicking a link that renders arbitrary HTML in the user's browser. Although this vulnerability does not allow for JavaScript execution, which would have increased its impact, it still poses a risk by manipulating how content is displayed in the browser.

Impact

Exploitation of this vulnerability could lead to unauthorized HTML being rendered in a user's browser, potentially allowing for phishing attacks or other social engineering tactics. However, the lack of JavaScript execution limits the severity of this impact.

Added: Dec 19, 2025, 8:17 PM

Updated: Dec 19, 2025, 8:17 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.0

exploitability

6.4

remediation

0.0

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

1.0

exploitability

6.4

remediation

0.0

relevance

1.6

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Esri ArcGIS Web AppBuilder HTML Injection Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating