CVE-2026-1446 – A Cross-Site Scripting (XSS) vulnerability in E... (How to Fix)

Q: What is the severity of CVE-2026-1446?

CVE-2026-1446 has a CVSS score of 5.0 (MEDIUM). A Cross-Site Scripting (XSS) vulnerability in Esri ArcGIS Pro versions 3.6.0 and earlier allows local attackers to execute arbitrary JavaScript code within the application. This affects users running vulnerable versions of ArcGIS Pro on their local workstations. Exploitation requires local user access but no special privileges.

📋 TL;DR

A Cross-Site Scripting (XSS) vulnerability in Esri ArcGIS Pro versions 3.6.0 and earlier allows local attackers to execute arbitrary JavaScript code within the application. This affects users running vulnerable versions of ArcGIS Pro on their local workstations. Exploitation requires local user access but no special privileges.

💻 Affected Systems

Products:

Esri ArcGIS Pro

Versions: 3.6.0 and earlier

Operating Systems: Windows

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects ArcGIS Pro desktop application; requires local user interaction with specific dialog.

📦 What is this software?

Arcgis Pro by Esri

View all CVEs affecting Arcgis Pro →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains ability to execute arbitrary JavaScript within ArcGIS Pro context, potentially leading to data theft, privilege escalation, or further system compromise.

🟠

Likely Case

Local user with malicious intent could execute scripts to steal sensitive GIS data, modify project files, or disrupt workflows.

🟢

If Mitigated

With proper patching, risk is eliminated; with workarounds, risk is reduced but not completely removed.

🌐 Internet-Facing: LOW - This is a desktop application vulnerability requiring local access, not directly exploitable over the internet.

🏢 Internal Only: MEDIUM - Internal users with local access to vulnerable ArcGIS Pro installations could exploit this, but requires specific user interaction with malicious content.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local user access and specific user interaction with malicious content in a dialog.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.6.1

Vendor Advisory: https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch

Restart Required: Yes

Instructions:

1. Download ArcGIS Pro 3.6.1 from Esri's website or ArcGIS Pro installer. 2. Run the installer. 3. Follow installation prompts. 4. Restart ArcGIS Pro after installation completes.

🔧 Temporary Workarounds

Restrict local user access

windows

Limit ArcGIS Pro access to trusted users only and implement least privilege principles.

User awareness training

all

Train users not to interact with suspicious content in ArcGIS Pro dialogs.

🧯 If You Can't Patch

Restrict ArcGIS Pro usage to essential personnel only
Implement application whitelisting to prevent unauthorized script execution

🔍 How to Verify

Check if Vulnerable:

Check ArcGIS Pro version in Help > About ArcGIS Pro dialog.

Check Version:

Not applicable - check via ArcGIS Pro GUI Help > About menu.

Verify Fix Applied:

Verify version shows 3.6.1 or later in Help > About ArcGIS Pro.

📡 Detection & Monitoring

Log Indicators:

Unusual ArcGIS Pro process behavior
Multiple failed dialog interactions

Network Indicators:

No network indicators - local vulnerability

SIEM Query:

Not applicable - local desktop application vulnerability

📊 Metadata

CVE ID: CVE-2026-1446

CVSS v3 Score: 5.0 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.01% exploit probability (0.4th percentile)

Published: January 26, 2026

Last Updated: February 13, 2026

🔗 References

https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1446, you might also want to check these: