here is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.
| Link | Resource |
|---|---|
| https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch | Vendor Advisory |
06 Feb 2026, 07:16
| Type | Values Removed | Values Added |
|---|---|---|
| Summary | (en) There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1. |
02 Feb 2026, 13:31
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch - Vendor Advisory | |
| CPE | cpe:2.3:a:esri:arcgis_pro:*:*:*:*:*:*:*:* | |
| First Time |
Esri arcgis Pro
Esri |
26 Jan 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Published : 2026-01-26 18:16
Updated : 2026-02-13 19:41
NVD link : CVE-2026-1446
Mitre link : CVE-2026-1446
CVE.ORG link : CVE-2026-1446
JSON object : View
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')