Autodesk Fusion CVE-2026-0534
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionCVE.org
A maliciously crafted HTML payload, stored in a part’s attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
AnalysisAI
Stored cross-site scripting in the Autodesk Fusion desktop application allows remote attackers to embed malicious HTML in a part's attribute that, when clicked by a victim, executes script in the application context. Because Fusion is a desktop Electron-style client rather than a sandboxed browser, successful exploitation can escalate to local file read or arbitrary code execution in the user's process. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%, 4th percentile).
Technical ContextAI
The affected product is Autodesk Fusion (cpe:2.3:a:autodesk:fusion), a cloud-connected CAD/CAM desktop application that renders user-supplied design metadata in its UI. The root cause is CWE-79, improper neutralization of input during web page generation: attributes attached to design 'parts' are stored and later rendered without sufficient sanitization or encoding, so HTML/JavaScript persisted in those attributes is parsed by the embedded webview when a user interacts with the affected element. In desktop applications that embed a browser engine, stored XSS frequently breaks out of the page context into native APIs, which is consistent with the vendor's note that arbitrary code execution in the current process is possible.
RemediationAI
Apply the vendor-supplied update by downloading the latest Fusion client from Autodesk and installing per the security advisory at https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001; fresh installers are available at https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe (Windows) and https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg (macOS). Patch status is confirmed available per vendor advisory, but the exact fixed version is not enumerated in the provided data and must be taken from the advisory itself. Until patching is complete, restrict opening of Fusion design files received from external or untrusted parties, treat shared parts libraries as untrusted input, and consider running Fusion under a non-privileged account to limit the blast radius of arbitrary code execution; the trade-off is reduced collaboration velocity for engineering teams that routinely exchange parts.
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of
Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi
The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 ha
VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for
VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8
The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and
Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordp
Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMwa
VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a
VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi
VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today