Description
A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Published: 2026-04-14
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: Stored Cross‑Site Scripting (XSS) in Autodesk Fusion
Action: Apply Patch
AI Analysis

Impact

A maliciously crafted HTML payload can be embedded in an assembly variant name and will be displayed in the delete confirmation dialog of Autodesk Fusion. If the user clicks the dialog a stored XSS is triggered, allowing an attacker to read local files or execute arbitrary code within the Fusion process context.

Affected Systems

The vulnerability affects Autodesk Fusion desktop version 2606.0. Any installation that has not been updated beyond this version may run with the unpatched code, rendering users susceptible to the exploit.

Risk and Exploitability

The flaw carries a CVSS score of 7.1, indicating moderate‑to‑high severity. Exploitation requires the victim to interact with the malicious confirmation dialog, but once triggered the impact on confidentiality and integrity is significant. EPSS data is unavailable and the issue is not listed in CISA’s KEV catalog, yet the combination of a high CVSS, required user action, and the potential for arbitrary code execution presents a realistic risk in typical environments.

Generated by OpenCVE AI on April 14, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the installed Autodesk Fusion version and determine whether newer releases are available that contain the fix.
  • Install the latest Fusion update that addresses the XSS vulnerability and replace the affected program files.
  • Confirm that the post‑update version number exceeds 2606.0 and monitor Autodesk security advisories for any additional patches or workarounds.

Generated by OpenCVE AI on April 14, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Title Stored Cross-Site Scripting (XSS) Vulnerability in Assembly Variant Name
First Time appeared Autodesk
Autodesk fusion
Weaknesses CWE-79
CPEs cpe:2.3:a:autodesk:fusion:2606.0:*:*:*:*:*:*:*
Vendors & Products Autodesk
Autodesk fusion
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Autodesk Fusion
cve-icon MITRE

Status: PUBLISHED

Assigner: autodesk

Published:

Updated: 2026-04-14T14:52:05.768Z

Reserved: 2026-03-18T08:19:07.639Z

Link: CVE-2026-4369

cve-icon Vulnrichment

Updated: 2026-04-14T14:52:01.014Z

cve-icon NVD

Status : Received

Published: 2026-04-14T15:16:38.943

Modified: 2026-04-14T15:16:38.943

Link: CVE-2026-4369

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:28Z

Weaknesses