Is Fusion affected by CVE-2026-0535?

Autodesk Fusion users are vulnerable to stored XSS attacks through malicious HTML in component descriptions, potentially allowing attackers to steal credentials, session tokens, or manipulate designs without detection.

CVE-2026-0535

HIGH

2026-01-22 [email protected]

7.1

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

Patch Released

Jan 30, 2026 - 17:07 nvd

Patch available

CVE Published

Jan 22, 2026 - 17:16 nvd

HIGH 7.1

Description

A maliciously crafted HTML payload, stored in a component’s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

Analysis

Stored XSS in Autodesk Fusion allows attackers to inject malicious HTML into component descriptions that executes when users click the payload, enabling local file theft or arbitrary code execution on affected systems. The vulnerability requires user interaction and local access but carries high impact due to the ability to compromise the desktop application's security context. …

Remediation

Within 24 hours: Notify all Autodesk Fusion users to avoid clicking on component descriptions from untrusted sources and enable any available security warnings. Within 7 days: Deploy the available vendor patch across all Fusion installations and verify successful application. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

CVE-2026-0535 vulnerability details – vuln.today

Back

CVE-2026-0535

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-0535

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code