Autodesk Fusion CVE-2026-0533
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionCVE.org
A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
AnalysisAI
Stored cross-site scripting in the Autodesk Fusion desktop application allows remote attackers to embed a malicious HTML payload in a design name that executes when a user opens the delete confirmation dialog and clicks the rendered content. Successful exploitation can lead to local file disclosure or arbitrary code execution in the context of the Fusion process. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.04%, 11th percentile).
Technical ContextAI
The flaw is a CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue in the Autodesk Fusion desktop client (cpe:2.3:a:autodesk:fusion:*). Fusion is a hybrid desktop/cloud CAD/CAM/CAE platform that renders UI elements such as dialogs using an embedded web/Chromium-style rendering layer, meaning HTML supplied as a design name is interpreted rather than escaped when shown in the delete confirmation dialog. Because the rendering context is the desktop process itself rather than a sandboxed browser tab, injected script can reach beyond the DOM to read local files and invoke native code paths, escalating a classic stored XSS into an RCE-grade primitive.
RemediationAI
Patch available per vendor advisory: update the Autodesk Fusion desktop client to the fixed build referenced in ADSK-SA-2026-0001 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001) using the official downloaders for macOS (Fusion Client Downloader.dmg) and Windows (Fusion Client Downloader.exe). Because the trigger is a delete confirmation dialog on a design name, an interim compensating control is to instruct users not to delete designs that originated from untrusted collaborators or shared team hubs and to rename suspicious designs through the project tree before invoking the delete action - note this is procedural and does not remove the underlying rendering flaw. Where feasible, restrict design sharing into Fusion Teams/Hubs to vetted accounts and remove untrusted external collaborators until all endpoints are confirmed patched, accepting the collaboration friction this introduces.
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of
Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi
The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 ha
VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for
VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8
The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and
Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordp
Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMwa
VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a
VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi
VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today