Cross‑Site Scripting (XSS) vulnerability exists in Esri ArcGIS Pro versions 3.6.0 and earlier. The flaw allows a local user to inject and execute arbitrary JavaScript when a particular dialog box is opened, without requiring elevated privileges or remote access. Because the vulnerable code runs in the context of the user, an attacker who can supply a crafted string could compromise the current user's confidentiality, integrity, or availability of the application data. The weakness is identified as CWE‑79.

This issue affects the Esri ArcGIS Pro desktop application for Windows, specifically all releases 3.6.0 and earlier. The affected products are listed under the Esri:ArcGIS Pro vendor/product name, and the vulnerability impacts any installation that matches that product naming. No other Esri products were mentioned in the advisory.

The CVSS base score of 5.0 indicates moderate severity, while the EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a local attacker who can supply a malicious string that is rendered by the dialog; no privileged or remote access is necessary. Consequently, the risk is limited to the local user’s session, yet it remains significant because successful exploitation could allow arbitrary code execution within that environment.