Description

There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript execution, which limits the impact. At the time of submission, ArcGIS Web App Builder developer edition is retired and unsupported. ArcGIS Web App Builder 2.30 is not susceptible to this vulnerability.

INFO

Published Date :

2025-12-19T20:05:42.172Z

Last Modified :

2026-01-08T16:47:34.111Z

Source :

Esri
AFFECTED PRODUCTS

The following products are affected by CVE-2025-67712 vulnerability.

Vendors Products
Esri
  • Arcgis
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-67712.

URL Resource
https://support.esri.com/en-us/knowledge-base/deprecation-arcgis-web-appbuilder-000036340 cve-icon cve-icon
https://www.mdronski.pl/2026/01/CVE-2025-67712-Proof-of-concept-and-technical-analysis.html cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact