CVE-2026-1446 MEDIUM

CVE-2026-1446: XSS issue is Esri ArcGIS Pro versions 3.6.0 and earlier

Vendor Esri
Product ArcGIS Pro
Weakness CWE-79 · XSS
Published January 26, 2026
Last update February 6, 2026
View on NVD All CVEs

CVSS base score

5.0/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.

Key dates

02Disclosure timeline

January 26, 2026 CVE published
February 6, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-30770 WordPress Charitable plugin <= 1.8.4.7 - Cross Site Scripting (XSS) Vulnerability CVE-2026-31379 Apache OFBiz: Path Traversal and File Upload Validation Bypass Leading to Arbitrary File Write, Stored XSS and RCE in Catalog Manager CVE-2023-47231 WordPress ShortCodes UI Plugin <= 1.9.8 is vulnerable to Cross Site Scripting (XSS) CVE-2026-32712 Open Source Point of Sale has Stored XSS in Customer Name (Sales) CVE-2024-11330 Custom CSS, JS & PHP <= 2.3.0 - Reflected Cross-Site Scripting