Description
A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Published: 2026-04-14
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: Stored XSS enabling local file read or arbitrary code execution in Autodesk Fusion desktop
Action: Apply Patch
AI Analysis

Impact

A maliciously crafted HTML payload can be stored inside a design name and then exported to CSV, triggering a stored Cross‑Site Scripting vulnerability in Autodesk Fusion desktop. The flaw allows an attacker to read local files or execute arbitrary code in the context of the Fusion process, exposing confidentiality, integrity, or availability of data. The weakness corresponds to CWE‑79.

Affected Systems

The affected product is Autodesk Fusion desktop, specifically version 2606.0. This release, as identified by its CPE designation, is vulnerable, and any older builds that use a similar identifier may also be impacted.

Risk and Exploitability

The CVSS v3.1 score is 7.1, indicating high severity. EPSS information is not available and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a user to open the compromised design or export it to CSV, implying a user‑dependent or local attack vector. Once the payload is rendered, an attacker can read arbitrary files or execute code with the same privileges as the Fusion process.

Generated by OpenCVE AI on April 14, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check Autodesk’s security advisories and install any available update for Fusion that addresses the stored XSS vulnerability.
  • If an update is not yet available, avoid using design names that contain HTML or JavaScript fragments, and refrain from opening CSV files exported from unknown or untrusted sources.
  • Configure Fusion to run with the least privileges necessary and restrict write permissions to directories that contain design files.
  • Monitor Fusion logs for unexpected script execution or file read attempts and investigate any anomalies.

Generated by OpenCVE AI on April 14, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Title Stored Cross-Site Scripting (XSS) Vulnerability in Design Name
First Time appeared Autodesk
Autodesk fusion
Weaknesses CWE-79
CPEs cpe:2.3:a:autodesk:fusion:2606.0:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk fusion
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Autodesk Fusion
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-04-14T15:03:37.351Z

Reserved: 2026-03-17T15:57:30.015Z

Link: CVE-2026-4345

cve-icon Vulnrichment

Updated: 2026-04-14T15:03:32.911Z

cve-icon NVD

Status : Received

Published: 2026-04-14T15:16:38.640

Modified: 2026-04-14T15:16:38.640

Link: CVE-2026-4345

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:27Z

Weaknesses