CVE-2025-67712 MEDIUM

CVE-2025-67712: HTML injection issue in ArcGIS Web App Builder

Vendor Esri
Product ArcGIS Web AppBuilder {Developer Edition)
Weakness CWE-79 · XSS
Published December 19, 2025
Last update January 8, 2026

CVSS base score

4.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

What the vulnerability does

01Description

There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript execution, which limits the impact. At the time of submission, ArcGIS Web App Builder developer edition is retired and unsupported. ArcGIS Web App Builder 2.30 is not susceptible to this vulnerability.

Key dates

02Disclosure timeline

December 19, 2025 CVE published
January 8, 2026 Record updated