Description
A maliciously crafted HTML payload, stored in a component’s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Published: 2026-01-22
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A maliciously crafted HTML payload can be stored in the description of an electronic library component and executed when a user interacts with that description, leading to a Stored Cross‑Site Scripting flaw that may allow reading local files or running arbitrary code inside the Fusion desktop process. The vulnerability arises from inadequate sanitization of user‑supplied content (CWE-79) and permits both information disclosure and execution of code with the privileges of the running user.

Affected Systems

The flaw targets Autodesk Fusion desktop versions up to at least 2603.0, as indicated by the product identifiers and CPE entries for Autodesk Fusion. The affected vendors are Autodesk; specific product name is Fusion.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, and the EPSS score of less than 1% suggests current industrial exploitation probability is low but not negligible. The vulnerability is not listed in the CISA KEV catalog, but its potential to execute code in the user’s session makes it a significant risk. The likely attack path involves a malicious actor inserting a crafted description, which a user subsequently clicks, triggering the stored XSS in the Fusion client.

Generated by OpenCVE AI on June 3, 2026 at 15:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Autodesk Fusion to the latest release that includes the fix for the stored XSS issue.
  • If an immediate upgrade is not feasible, disable or remove the electronic library component to prevent users from clicking malicious descriptions.
  • Educate users to avoid interacting with unknown or suspicious content in component descriptions and to verify the source of any scripts they encounter.

Generated by OpenCVE AI on June 3, 2026 at 15:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Thu, 26 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 03 Feb 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:autodesk:fusion:2603.0:*:*:*:*:*:*:*

Fri, 30 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:autodesk:fusion:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Autodesk
Autodesk fusion
Vendors & Products Autodesk
Autodesk fusion

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description A maliciously crafted HTML payload, stored in a component’s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Title Stored XSS in Electronic Library Component Description
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Autodesk Fusion
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-06-03T13:30:24.931Z

Reserved: 2025-12-19T18:57:21.548Z

Link: CVE-2026-0535

cve-icon Vulnrichment

Updated: 2026-01-22T18:24:45.533Z

cve-icon NVD

Status : Modified

Published: 2026-01-22T17:16:30.260

Modified: 2026-06-03T14:16:32.063

Link: CVE-2026-0535

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T15:45:36Z

Weaknesses