CVE-2026-0533
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
Analysis
Stored XSS in Autodesk Fusion's design name field allows attackers to inject malicious HTML that executes when users view the delete confirmation dialog, potentially enabling arbitrary code execution or local file access on affected systems. An attacker must first craft a malicious design name that gets stored in the application, then socially engineer a user to interact with the deletion prompt to trigger the payload. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Notify all Autodesk Fusion users to avoid deleting designs with unusual or suspicious names and escalate any suspicious activity to security. Within 7 days: Deploy the available patch to all Fusion installations across the organization. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today