CVE-2025-67712
Unknown Unknown - Not Provided
HTML Injection in Esri ArcGIS Web AppBuilder

Publication date: 2025-12-19

Last updated on: 2025-12-19

Assigner: Environmental Systems Research Institute, Inc.

Description
There is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30 that allows a remote, unauthenticated attacker to potentially entice a user to click a link that causes arbitrary HTML to render in a victim's browser. There is no evidence of JavaScript execution, which limits the impact. At the time of submission, ArcGIS Web App Builder developer edition is retired and unsupported. ArcGIS Web App Builder 2.30 is not susceptible to this vulnerability.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-67712
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
esri arcgis_web_appbuilder *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an HTML injection issue in Esri ArcGIS Web AppBuilder developer edition versions prior to 2.30. It allows a remote, unauthenticated attacker to trick a user into clicking a link that causes arbitrary HTML content to be rendered in the victim's browser. However, there is no evidence that JavaScript can be executed through this vulnerability, which limits its potential impact.

Impact Analysis

The vulnerability can impact you by allowing an attacker to inject arbitrary HTML into your browser via a crafted link, potentially misleading or confusing users. Since JavaScript execution is not possible, the risk of more severe attacks like cross-site scripting is reduced. However, the injected HTML could still be used for phishing or UI manipulation. Additionally, the affected product is retired and unsupported, so no patches are available for versions prior to 2.30, which is not susceptible.

Mitigation Strategies

To mitigate this vulnerability, upgrade ArcGIS Web AppBuilder developer edition to version 2.30 or later, as versions prior to 2.30 are vulnerable. Since the developer edition is retired and unsupported, it is also recommended to migrate to ArcGIS Experience Builder, which is the supported replacement. Avoid using the retired developer edition to prevent exposure to this HTML injection issue. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67712. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart