The flaw is a stored XSS in Autodesk Fusion desktop’s delete‑confirmation dialog. A maliciously crafted HTML fragment embedded in a design name is rendered when the dialog appears, and clicking the confirmation button causes the browser‑like component to execute the injected script. The injected code can read local files or run arbitrary commands in the context of the Fusion process, thus providing an attacker with code execution privileges on the affected machine. This weakness is a classic example of CWE‑79, where unsanitized user‑controlled input is executed as code.

All installations of Autodesk Fusion desktop, including the 2603.0 release and earlier unreleased builds that have not yet been patched. The vulnerability affects any version that presents the design name in the delete‑confirmation dialog without proper sanitization.

The CVSS score of 8.1 reflects a high risk when the flaw is exploited. The EPSS score is below 1 %, indicating a low likelihood of exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is logical; an attacker who can create or modify a design’s name in the local filesystem can embed the malicious payload. Exploitation requires the victim to have access to the machine and to interact with the delete confirmation dialog, so it is a local‑user‑privileged threat rather than a remote one. Proper code execution or file access follows directly from the injection, making the impact severe for a legitimate local user.