Primary

Context

Esri ArcGIS Pro Cross-Site Scripting Vulnerability

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability has been identified in Esri ArcGIS Pro versions 3.6.0 and earlier. This issue allows a local attacker to inject malicious strings into ArcGIS Pro, which may be executed when a specific dialog is opened. The vulnerability has been addressed in ArcGIS Pro version 3.6.1.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject malicious scripts that are executed in the context of the user's browser.

Remediation

Users can upgrade to ArcGIS Pro version 3.6.1 to address this vulnerability. This patch is available through the ArcGIS Pro Updater or MyEsri.

Added: Jan 26, 2026, 6:31 PM

Updated: Jan 26, 2026, 6:31 PM

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

1.3

exploitability

3.3

remediation

7.7

relevance

2.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.4

impact

1.3

exploitability

3.3

remediation

7.7

relevance

2.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Esri ArcGIS Pro Cross-Site Scripting Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Esri ArcGIS Pro

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating