Autodesk Fusion CVE-2026-0535
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionCVE.org
A maliciously crafted HTML payload, stored in a component’s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
AnalysisAI
Stored cross-site scripting in the Autodesk Fusion desktop application allows a malicious actor to embed an HTML payload in a component's description that, when clicked by another user, can read local files or execute arbitrary code in the context of the Fusion process. The vulnerability requires user interaction but no authentication on the victim side, and Autodesk has released a patch via security advisory ADSK-SA-2026-0001. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.02%.
Technical ContextAI
Autodesk Fusion is a desktop CAD/CAM/CAE application that renders portions of its UI - including component metadata such as descriptions - using an embedded web/HTML rendering layer (typical of Electron- or CEF-based desktop apps). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): component description fields are stored without sanitization and later rendered as HTML, allowing injected script to execute inside the application chrome. Because the rendering context is the desktop process rather than a sandboxed browser tab, script execution can reach native APIs, enabling local file reads and arbitrary code execution in the user's session. The affected CPE is cpe:2.3:a:autodesk:fusion:*:*:*:*:*:*:*:*, indicating all versions of the Fusion desktop client prior to the fix.
RemediationAI
Patch available per vendor advisory: upgrade Autodesk Fusion to the fixed build referenced in ADSK-SA-2026-0001 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001), reinstalling via the official Fusion Client Downloader if needed. Until the patch is rolled out organization-wide, restrict ingestion of Fusion components from untrusted sources - block or quarantine third-party component libraries and shared cloud projects from unknown collaborators, and instruct users not to click into descriptions on unfamiliar components (trade-off: disrupts collaboration workflows that rely on community or vendor-supplied parts). Where Fusion is used in regulated or high-value engineering environments, consider running it in a non-privileged Windows account so that any code executed via this XSS inherits reduced filesystem and network reach (trade-off: licensing and team-data-cache locations may need reconfiguration).
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of
Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi
The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 ha
VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for
VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8
The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and
Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordp
Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMwa
VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a
VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi
VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today