Description
A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Published: 2026-04-14
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting that may enable local file reads or code execution
Action: Immediate Patch
AI Analysis

Impact

A maliciously crafted HTML payload can be stored within a component name and then shown in the Fusion desktop application's delete‑confirmation dialog; clicking the link triggers a stored cross‑site scripting event. The attacker can read local files or execute arbitrary code within the context of the running Fusion process, a flaw classified as CWE‑79.

Affected Systems

The vulnerability affects Autodesk Fusion desktop versions, with the current CPE indicating impact on 2606.0. Any installation of this release that allows component names to contain arbitrary HTML is at risk.

Risk and Exploitability

The CVSS score of 7.1 signals a high severity. Exploitation requires a user to interact with the malicious link presented in the confirmation dialog, so user action is mandatory. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting limited public exploitation data at present. If successfully exploited, the attacker gains code execution privileges equivalent to the Fusion process, potentially allowing local file disclosure or broader compromise.

Generated by OpenCVE AI on April 14, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Autodesk’s website for an updated Fusion installer or patch; upgrade to the latest version when available.
  • If no patch is immediately available, delete or rename any component names that contain unexpected HTML or script fragments to prevent the dialog from rendering malicious content.
  • If Fusion offers a setting to disable embedded web‑view or script rendering, enable it until a vendor repair is released.
  • Monitor Fusion logs and user activity for unusual delete‑confirmation dialogs or script execution events.

Generated by OpenCVE AI on April 14, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Title Stored Cross-Site Scripting (XSS) Vulnerability in Assembly Component Name
First Time appeared Autodesk
Autodesk fusion
Weaknesses CWE-79
CPEs cpe:2.3:a:autodesk:fusion:2606.0:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk fusion
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Autodesk Fusion
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-04-14T15:07:02.979Z

Reserved: 2026-03-17T15:57:23.974Z

Link: CVE-2026-4344

cve-icon Vulnrichment

Updated: 2026-04-14T15:06:58.811Z

cve-icon NVD

Status : Received

Published: 2026-04-14T15:16:38.467

Modified: 2026-04-14T15:16:38.467

Link: CVE-2026-4344

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:26Z

Weaknesses