Skip to main content

Autodesk Fusion CVE-2026-0535

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-01-22 psirt@autodesk.com
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

7
Analysis Updated
Jun 03, 2026 - 14:36 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 03, 2026 - 14:35 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 03, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
Jun 03, 2026 - 14:22 NVD
7.1 (HIGH) 8.1 (HIGH)
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
Patch released
Jan 30, 2026 - 17:07 nvd
Patch available
CVE Published
Jan 22, 2026 - 17:16 nvd
HIGH 7.1

DescriptionCVE.org

A maliciously crafted HTML payload, stored in a component’s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

AnalysisAI

Stored cross-site scripting in the Autodesk Fusion desktop application allows a malicious actor to embed an HTML payload in a component's description that, when clicked by another user, can read local files or execute arbitrary code in the context of the Fusion process. The vulnerability requires user interaction but no authentication on the victim side, and Autodesk has released a patch via security advisory ADSK-SA-2026-0001. No public exploit identified at time of analysis and EPSS exploitation probability is very low at 0.02%.

Technical ContextAI

Autodesk Fusion is a desktop CAD/CAM/CAE application that renders portions of its UI - including component metadata such as descriptions - using an embedded web/HTML rendering layer (typical of Electron- or CEF-based desktop apps). The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation): component description fields are stored without sanitization and later rendered as HTML, allowing injected script to execute inside the application chrome. Because the rendering context is the desktop process rather than a sandboxed browser tab, script execution can reach native APIs, enabling local file reads and arbitrary code execution in the user's session. The affected CPE is cpe:2.3:a:autodesk:fusion:*:*:*:*:*:*:*:*, indicating all versions of the Fusion desktop client prior to the fix.

RemediationAI

Patch available per vendor advisory: upgrade Autodesk Fusion to the fixed build referenced in ADSK-SA-2026-0001 (https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001), reinstalling via the official Fusion Client Downloader if needed. Until the patch is rolled out organization-wide, restrict ingestion of Fusion components from untrusted sources - block or quarantine third-party component libraries and shared cloud projects from unknown collaborators, and instruct users not to click into descriptions on unfamiliar components (trade-off: disrupts collaboration workflows that rely on community or vendor-supplied parts). Where Fusion is used in regulated or high-value engineering environments, consider running it in a non-privileged Windows account so that any code executed via this XSS inherits reduced filesystem and network reach (trade-off: licensing and team-data-cache locations may need reconfiguration).

More in Fusion

View all
CVE-2017-5753 MEDIUM POC
5.6 Jan 04

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of

CVE-2016-5330 HIGH POC
7.8 Aug 08

Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t

CVE-2025-22226 HIGH
7.1 Mar 04

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi

CVE-2017-4901 CRITICAL POC
9.9 Jun 08

The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 ha

CVE-2020-3950 HIGH POC
7.8 Mar 17

VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for

CVE-2017-4924 HIGH POC
8.8 Sep 15

VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8

CVE-2013-1406 HIGH POC
7.2 Feb 11

The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and

CVE-2015-2194 MEDIUM POC
6.5 Mar 03

Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordp

CVE-2012-1666 MEDIUM POC
6.9 Sep 08

Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMwa

CVE-2017-4933 HIGH
8.8 Dec 20

VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a

CVE-2017-4905 MEDIUM POC
5.5 Jun 07

VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi

CVE-2017-4941 HIGH
8.8 Dec 20

VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8

Share

CVE-2026-0535 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy