Skip to main content

Autodesk Fusion CVE-2026-0534

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-01-22 psirt@autodesk.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 03, 2026 - 14:37 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 14:36 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 03, 2026 - 14:22 NVD
7.1 (HIGH) 8.1 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Jan 30, 2026 - 17:08 nvd
Patch available
CVE Published
Jan 22, 2026 - 17:16 nvd
HIGH 7.1

DescriptionCVE.org

A maliciously crafted HTML payload, stored in a part’s attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

AnalysisAI

Stored cross-site scripting in the Autodesk Fusion desktop application allows remote attackers to embed malicious HTML in a part's attribute that, when clicked by a victim, executes script in the application context. Because Fusion is a desktop Electron-style client rather than a sandboxed browser, successful exploitation can escalate to local file read or arbitrary code execution in the user's process. No public exploit identified at time of analysis, and EPSS exploitation probability is very low (0.02%, 4th percentile).

Technical ContextAI

The affected product is Autodesk Fusion (cpe:2.3:a:autodesk:fusion), a cloud-connected CAD/CAM desktop application that renders user-supplied design metadata in its UI. The root cause is CWE-79, improper neutralization of input during web page generation: attributes attached to design 'parts' are stored and later rendered without sufficient sanitization or encoding, so HTML/JavaScript persisted in those attributes is parsed by the embedded webview when a user interacts with the affected element. In desktop applications that embed a browser engine, stored XSS frequently breaks out of the page context into native APIs, which is consistent with the vendor's note that arbitrary code execution in the current process is possible.

RemediationAI

Apply the vendor-supplied update by downloading the latest Fusion client from Autodesk and installing per the security advisory at https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001; fresh installers are available at https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe (Windows) and https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg (macOS). Patch status is confirmed available per vendor advisory, but the exact fixed version is not enumerated in the provided data and must be taken from the advisory itself. Until patching is complete, restrict opening of Fusion design files received from external or untrusted parties, treat shared parts libraries as untrusted input, and consider running Fusion under a non-privileged account to limit the blast radius of arbitrary code execution; the trade-off is reduced collaboration velocity for engineering teams that routinely exchange parts.

More in Fusion

View all
CVE-2017-5753 MEDIUM POC
5.6 Jan 04

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of

CVE-2016-5330 HIGH POC
7.8 Aug 08

Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t

CVE-2025-22226 HIGH
7.1 Mar 04

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi

CVE-2017-4901 CRITICAL POC
9.9 Jun 08

The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 ha

CVE-2020-3950 HIGH POC
7.8 Mar 17

VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for

CVE-2017-4924 HIGH POC
8.8 Sep 15

VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8

CVE-2013-1406 HIGH POC
7.2 Feb 11

The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and

CVE-2015-2194 MEDIUM POC
6.5 Mar 03

Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordp

CVE-2012-1666 MEDIUM POC
6.9 Sep 08

Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMwa

CVE-2017-4933 HIGH
8.8 Dec 20

VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a

CVE-2017-4905 MEDIUM POC
5.5 Jun 07

VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi

CVE-2017-4941 HIGH
8.8 Dec 20

VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8

Share

CVE-2026-0534 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy