Esri Arcgis Pro

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in Esri Arcgis Pro.

By the Year

In 2026 there have been 1 vulnerability in Esri Arcgis Pro with an average score of 5.0 out of ten. Last year, in 2025 Arcgis Pro had 2 security vulnerabilities published. If vulnerabilities keep coming in at the current rate, it appears that number of security vulnerabilities in Arcgis Pro in 2026 could surpass last years number. Last year, the average CVE base score was greater by 2.30

Year	Vulnerabilities	Average Score
2026	1	5.00
2025	2	7.30
2024	0	0.00
2023	0	0.00
2022	0	0.00
2021	3	7.80

It may take a day or so for new Arcgis Pro vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Esri Arcgis Pro Security Vulnerabilities

CrossSite XSS in Esri ArcGIS Pro 3.6.0 or earlier Local user only
CVE-2026-1446 5 - Medium - January 26, 2026

There is a CrossSite Scripting (XSS) issue in Esri ArcGIS Pro versions 3.6.0 and earlier. ArcGIS Pro is a desktop application, and exploitation is limited to local users interacting with the application; no privileged role or elevated permissions are required beyond standard local user access. A local attacker can supply malicious strings that may be rendered and executed when a specific dialog within ArcGIS Pro is opened. This issue is fixed in ArcGIS Pro version 3.6.1.

XSS

ArcGIS AllSource <1.2.1: Untrusted Search Path Exec Vulnerability
CVE-2025-1068 7.3 - High - February 25, 2025

There is an untrusted search path vulnerability in Esri ArcGIS AllSource 1.2 and 1.3 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS AllSource, the file could execute and run malicious commands under the context of the victim. This issue is corrected in ArcGIS AllSource 1.2.1 and 1.3.1.

Untrusted Path

Untrusted Search Path Exec in Esri ArcGIS Pro 3.3/3.4 (fixed 3.3.3/3.4.1)
CVE-2025-1067 7.3 - High - February 25, 2025

There is an untrusted search path vulnerability in Esri ArcGIS Pro 3.3 and 3.4 that may allow a low privileged attacker with write privileges to the local file system to introduce a malicious executable to the filesystem. When the victim performs a specific action using ArcGIS ArcGIS Pro, the file could execute and run malicious commands under the context of the victim. This issue is addressed in ArcGIS Pro 3.3.3 and 3.4.1.

Incorrect Permission Assignment for Critical Resource

Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier)
CVE-2021-29097 7.8 - High - March 25, 2021

Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.

Buffer Overflow

Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier)
CVE-2021-29098 7.8 - High - March 25, 2021

Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allow an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.

Access of Uninitialized Pointer

A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier)
CVE-2021-29096 7.8 - High - March 25, 2021

A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) allows an unauthenticated attacker to achieve arbitrary code execution in the context of the current user.

Dangling pointer

Stay on top of Security Vulnerabilities

Want an email whenever new vulnerabilities are published for Esri Arcgis Pro or by Esri? Click the Watch button to subscribe.

Esri
Vendor

Esri Arcgis Pro
Product

Esri Arcgis Pro

Don't miss out!

By the Year

Recent Esri Arcgis Pro Security Vulnerabilities

CrossSite XSS in Esri ArcGIS Pro 3.6.0 or earlier Local user only CVE-2026-1446 5 - Medium - January 26, 2026

ArcGIS AllSource <1.2.1: Untrusted Search Path Exec Vulnerability CVE-2025-1068 7.3 - High - February 25, 2025

Untrusted Search Path Exec in Esri ArcGIS Pro 3.3/3.4 (fixed 3.3.3/3.4.1) CVE-2025-1067 7.3 - High - February 25, 2025

Multiple buffer overflow vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) CVE-2021-29097 7.8 - High - March 25, 2021

Multiple uninitialized pointer vulnerabilities when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) CVE-2021-29098 7.8 - High - March 25, 2021

A use-after-free vulnerability when parsing a specially crafted file in Esri ArcReader, ArcGIS Desktop, ArcGIS Engine 10.8.1 (and earlier) and ArcGIS Pro 2.7 (and earlier) CVE-2021-29096 7.8 - High - March 25, 2021