CVE-2026-0534 - Vulnerability Details

- Stored XSS in the value of a part attribute

Description

A maliciously crafted HTML payload, stored in a part’s attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

Published: 2026-01-22

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A maliciously crafted HTML payload, stored in a part’s attribute, can be triggered when a user clicks the part. The payload exploits a Stored Cross‑site Scripting flaw in the Autodesk Fusion desktop application, allowing an attacker to read local files or execute arbitrary code in the same context as the application. This can compromise the confidentiality, integrity, and availability of the system and any data handled by Fusion.

Affected Systems

The vulnerability affects the Autodesk Fusion desktop application, specifically the 2603.0 version. Any user of this version that opens parts containing attacker‑controlled attribute values is at risk.

Risk and Exploitability

The CVSS score of 8.1 indicates moderate to high risk, while the EPSS score of less than 1% suggests a very low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack requires user interaction to open or click a malicious part, so the likely attack vector is a social engineering or insider scenario. Successful exploitation would give the attacker code execution privileges within the Fusion process, potentially exposing local files and data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Autodesk

Fusion

unaffected

Version	Status	Constraints
`2603.0`	affected	< 2606.1.21

Configuration 1 [-]

cpe:2.3:a:autodesk:fusion:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Autodesk	Fusion	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest Autodesk Fusion update that patches CVE‑2026‑0534.
Configure the application to disable or restrict rendering of arbitrary HTML in part attributes.
Avoid opening or interacting with parts from untrusted or unknown sources; use sandboxing where possible.

Generated by OpenCVE AI on June 3, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00024.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg
https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe
https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001

History

Wed, 03 Jun 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics	cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}`	cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}`

Tue, 03 Feb 2026 21:30:00 +0000

Type	Values Removed	Values Added
Title	HTML Payload Stored Cross-Site Scripting Vulnerability	Stored XSS in the value of a part attribute

Tue, 03 Feb 2026 21:15:00 +0000

Type	Values Removed	Values Added
Title	Stored XSS in the value of a part attribute	HTML Payload Stored Cross-Site Scripting Vulnerability

Tue, 03 Feb 2026 18:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:autodesk:fusion:2603.0:::::::*

Fri, 30 Jan 2026 17:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:autodesk:fusion::::::::

Fri, 23 Jan 2026 16:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Autodesk Autodesk fusion
Vendors & Products		Autodesk Autodesk fusion

Thu, 22 Jan 2026 23:00:00 +0000

Type	Values Removed	Values Added
Description		A maliciously crafted HTML payload, stored in a part’s attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Title		Stored XSS in the value of a part attribute
Weaknesses		CWE-79
References		https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Autodesk Fusion

MITRE

Status: PUBLISHED

Assigner: autodesk

Published: 2026-01-22T16:59:01.906Z

Updated: 2026-06-03T13:29:45.912Z

Reserved: 2025-12-19T18:57:19.012Z

Link: CVE-2026-0534

Vulnrichment

Updated: 2026-01-22T19:53:26.621Z

NVD

Status : Modified

Published: 2026-01-22T17:16:29.113

Modified: 2026-06-03T14:16:31.937

Link: CVE-2026-0534

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-03T15:45:36Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object