{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1446", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "state": "PUBLISHED", "assignerShortName": "Esri", "dateReserved": "2026-01-26T16:40:43.410Z", "datePublished": "2026-01-26T17:24:12.411Z", "dateUpdated": "2026-02-06T06:04:15.645Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "platforms": ["x64", "windows"], "product": "ArcGIS Pro", "vendor": "Esri", "versions": [{"lessThan": "3.6.1", "status": "affected", "version": "1.0", "versionType": "custom"}]}], "datePublic": "2026-01-27T06:04:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<div>There is a Cross\u2011Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.</div>"}], "value": "There is a Cross\u2011Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1."}], "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2026-02-06T06:04:15.645Z"}, "references": [{"url": "https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Upgrade to ArcGIS Pro 3.6.1"}], "value": "Upgrade to ArcGIS Pro 3.6.1"}], "source": {"defect": ["BUG-000095782"], "discovery": "UNKNOWN"}, "title": "XSS issue is Esri ArcGIS Pro versions 3.6.0 and earlier", "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T21:03:31.731403Z", "id": "CVE-2026-1446", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T21:04:26.238Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1446", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T21:03:31.731403Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T21:03:38.028Z"}}], "cna": {"title": "XSS issue is Esri ArcGIS Pro versions 3.6.0 and earlier", "source": {"defect": ["BUG-000095782"], "discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-63", "descriptions": [{"lang": "en", "value": "CAPEC-63 Cross-Site Scripting (XSS)"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Esri", "product": "ArcGIS Pro", "versions": [{"status": "affected", "version": "1.0", "lessThan": "3.6.1", "versionType": "custom"}], "platforms": ["x64", "windows"], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Upgrade to ArcGIS Pro 3.6.1", "supportingMedia": [{"type": "text/html", "value": "Upgrade to ArcGIS Pro 3.6.1", "base64": false}]}], "datePublic": "2026-01-27T06:04:00.000Z", "references": [{"url": "https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "There is a Cross\u2011Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.", "supportingMedia": [{"type": "text/html", "value": "<div>There is a Cross\u2011Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.</div>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "shortName": "Esri", "dateUpdated": "2026-02-06T06:04:15.645Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1446", "state": "PUBLISHED", "dateUpdated": "2026-02-06T06:04:15.645Z", "dateReserved": "2026-01-26T16:40:43.410Z", "assignerOrgId": "cedc17bb-4939-4f40-a1f4-30ae8af1094e", "datePublished": "2026-01-26T17:24:12.411Z", "assignerShortName": "Esri"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:esri:arcgis_pro:*:*:*:*:*:*:*:*", "matchCriteriaId": "2F0713E0-AF74-4D99-8276-077D18CED526", "versionEndExcluding": "3.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a Cross\u2011Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1."}], "id": "CVE-2026-1446", "lastModified": "2026-02-13T19:41:55.783", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "psirt@esri.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-26T18:16:30.140", "references": [{"source": "psirt@esri.com", "tags": ["Vendor Advisory"], "url": "https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch"}], "sourceIdentifier": "psirt@esri.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@esri.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:01:26.925583+00:00", "value": {"mitigation_remediation": ["Upgrade Esri ArcGIS Pro to version 3.6.1 or later, which removes the XSS flaw.", "Avoid opening the vulnerable dialog or use only trusted content until the application is upgraded.", "If available, configure the application to block script execution or enforce input sanitization for the dialog contents to reduce the risk of script execution."], "summary": {"action": "Upgrade", "impact": "Local XSS"}, "threat_synthesis": {"affected_systems": "This issue affects the Esri ArcGIS Pro desktop application for Windows, specifically all releases 3.6.0 and earlier. The affected products are listed under the Esri:ArcGIS Pro vendor/product name, and the vulnerability impacts any installation that matches that product naming. No other Esri products were mentioned in the advisory.", "description_and_impact": "Cross\u2011Site Scripting (XSS) vulnerability exists in Esri ArcGIS Pro versions 3.6.0 and earlier. The flaw allows a local user to inject and execute arbitrary JavaScript when a particular dialog box is opened, without requiring elevated privileges or remote access. Because the vulnerable code runs in the context of the user, an attacker who can supply a crafted string could compromise the current user's confidentiality, integrity, or availability of the application data. The weakness is identified as CWE\u201179.", "risk_and_exploitability": "The CVSS base score of 5.0 indicates moderate severity, while the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires a local attacker who can supply a malicious string that is rendered by the dialog; no privileged or remote access is necessary. Consequently, the risk is limited to the local user\u2019s session, yet it remains significant because successful exploitation could allow arbitrary code execution within that environment."}}}}, "created": "2026-01-27T09:03:37.730943+00:00", "updated": "2026-04-18T15:15:03.684429+00:00", "vendors": ["esri", "esri$PRODUCT$arcgis_pro"]}