Cross Site Scripting Vulnerability in Esri ArcGIS Pro
CVE-2026-1446

5MEDIUM

Key Information:

Vendor: Esri
Status: Arcgis Pro
Vendor: CVE Published:; 26 January 2026

What is CVE-2026-1446?

A Cross Site Scripting vulnerability exists in Esri ArcGIS Pro that allows a local attacker to inject malicious scripts into the application. This may occur when a specific dialog is opened within versions 3.6.0 and earlier. Successful exploitation could lead to unauthorized script execution, potentially compromising user data and application integrity. Users are advised to upgrade to ArcGIS Pro 3.6.1, where this issue has been addressed.

Affected Version(s)

ArcGIS Pro x64 1.0 < 3.6.1

References

https://www.esri.com/arcgis-blog/products/arcgis-pro/admi...

CVSS V3.1

Score:

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 26, 2026
Vulnerability Reserved
Jan 26, 2026

CVE-2026-1446 Data

JSON