There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.
References
| Link | Resource |
|---|---|
| https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch | Vendor Advisory |
Configurations
History
06 Feb 2026, 07:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1. |
02 Feb 2026, 13:31
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Esri arcgis Pro
Esri |
|
| CPE | cpe:2.3:a:esri:arcgis_pro:*:*:*:*:*:*:*:* | |
| References | () https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch - Vendor Advisory |
26 Jan 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-01-26 18:16
Updated : 2026-02-13 19:41
NVD link : CVE-2026-1446
Mitre link : CVE-2026-1446
CVE.ORG link : CVE-2026-1446
JSON object : View
Products Affected
esri
- arcgis_pro
CWE
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')