Skip to main content

Autodesk Fusion CVE-2026-0533

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-01-22 psirt@autodesk.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 03, 2026 - 14:38 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 14:37 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 03, 2026 - 14:22 NVD
7.1 (HIGH) 8.1 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Jan 30, 2026 - 17:07 nvd
Patch available
CVE Published
Jan 22, 2026 - 17:16 nvd
HIGH 7.1

DescriptionCVE.org

A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

AnalysisAI

Stored cross-site scripting in the Autodesk Fusion desktop application allows remote attackers to embed a malicious HTML payload in a design name that executes when a user opens the delete confirmation dialog and clicks the rendered content. Successful exploitation can lead to local file disclosure or arbitrary code execution in the context of the Fusion process. No public exploit identified at time of analysis, and EPSS exploitation probability is low (0.04%, 11th percentile).

Technical ContextAI

The flaw is a CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) issue in the Autodesk Fusion desktop client (cpe:2.3:a:autodesk:fusion:*). Fusion is a hybrid desktop/cloud CAD/CAM/CAE platform that renders UI elements such as dialogs using an embedded web/Chromium-style rendering layer, meaning HTML supplied as a design name is interpreted rather than escaped when shown in the delete confirmation dialog. Because the rendering context is the desktop process itself rather than a sandboxed browser tab, injected script can reach beyond the DOM to read local files and invoke native code paths, escalating a classic stored XSS into an RCE-grade primitive.

RemediationAI

Patch available per vendor advisory: update the Autodesk Fusion desktop client to the fixed build referenced in ADSK-SA-2026-0001 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001) using the official downloaders for macOS (Fusion Client Downloader.dmg) and Windows (Fusion Client Downloader.exe). Because the trigger is a delete confirmation dialog on a design name, an interim compensating control is to instruct users not to delete designs that originated from untrusted collaborators or shared team hubs and to rename suspicious designs through the project tree before invoking the delete action - note this is procedural and does not remove the underlying rendering flaw. Where feasible, restrict design sharing into Fusion Teams/Hubs to vetted accounts and remove untrusted external collaborators until all endpoints are confirmed patched, accepting the collaboration friction this introduces.

More in Fusion

View all
CVE-2017-5753 MEDIUM POC
5.6 Jan 04

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of

CVE-2016-5330 HIGH POC
7.8 Aug 08

Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t

CVE-2025-22226 HIGH
7.1 Mar 04

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi

CVE-2017-4901 CRITICAL POC
9.9 Jun 08

The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 ha

CVE-2020-3950 HIGH POC
7.8 Mar 17

VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for

CVE-2017-4924 HIGH POC
8.8 Sep 15

VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8

CVE-2013-1406 HIGH POC
7.2 Feb 11

The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and

CVE-2015-2194 MEDIUM POC
6.5 Mar 03

Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordp

CVE-2012-1666 MEDIUM POC
6.9 Sep 08

Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMwa

CVE-2017-4933 HIGH
8.8 Dec 20

VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a

CVE-2017-4905 MEDIUM POC
5.5 Jun 07

VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi

CVE-2017-4941 HIGH
8.8 Dec 20

VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8

Share

CVE-2026-0533 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy