CVE-2026-1446 is a Cross-Site Scripting (XSS) vulnerability classified under CWE-79, affecting Esri ArcGIS Pro, a widely used desktop GIS application. The flaw exists in versions 3.6.0 and earlier, where improper neutralization of input during web page generation within the application allows malicious scripts to be injected and executed. Specifically, a local attacker with standard user access can supply crafted input strings that are rendered in a particular dialog box, triggering script execution when the dialog is opened. This vulnerability does not require elevated privileges, making it accessible to any local user on the system. The attack vector is local with user interaction required, limiting remote exploitation. The impact includes potential leakage of sensitive information and manipulation of application data, compromising confidentiality and integrity. Availability is not affected. The vulnerability has a CVSS 3.1 base score of 5.0 (medium severity), reflecting the limited attack vector and required user interaction but acknowledging the scope of impact due to the application's role in critical GIS operations. Esri has addressed this issue in ArcGIS Pro version 3.6.1. No public exploits have been reported, but the vulnerability poses a risk in environments where multiple users share workstations or where local access is possible by untrusted users.

For European organizations, the impact of CVE-2026-1446 can be significant in sectors relying heavily on GIS data, such as government agencies, urban planning, utilities, transportation, and environmental monitoring. Exploitation could lead to unauthorized disclosure of sensitive geospatial data or manipulation of GIS project information, undermining decision-making processes and operational integrity. Since ArcGIS Pro is often used in collaborative environments, a local attacker could leverage this vulnerability to escalate access to confidential project details or inject misleading data. Although the attack requires local access and user interaction, insider threats or compromised endpoints could exploit this flaw. The lack of availability impact means operational disruption is unlikely, but data confidentiality and integrity risks remain notable. European organizations with shared workstations or less restrictive local user controls are particularly vulnerable. Failure to patch could expose critical infrastructure mapping and planning data to tampering or leakage, potentially affecting national security and critical services.

Organizations should immediately upgrade all ArcGIS Pro installations to version 3.6.1 or later, where the vulnerability is patched. Implement strict local user access controls to limit the number of users with physical or remote desktop access to systems running ArcGIS Pro. Employ endpoint security solutions that monitor and restrict execution of unauthorized scripts or code injections within applications. Conduct user training to raise awareness about the risks of opening untrusted dialogs or files within ArcGIS Pro. Regularly audit and monitor local user activities on GIS workstations to detect suspicious behavior indicative of exploitation attempts. Consider application whitelisting to prevent unauthorized modifications to ArcGIS Pro files or configurations. In environments with shared workstations, enforce session isolation and robust authentication to reduce the risk of local privilege abuse. Finally, maintain up-to-date backups of GIS projects to recover from potential data integrity compromises.