Skip to main content

Fusion CVE-2026-4344

| EUVDEUVD-2026-22273 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-14 autodesk GHSA-355c-p2wf-x6ff
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 14:48 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 14:30 euvd
EUVD-2026-22273
Analysis Generated
Apr 14, 2026 - 14:30 vuln.today
Patch released
Apr 14, 2026 - 14:30 nvd
Patch available
CVE Published
Apr 14, 2026 - 13:56 nvd
HIGH 7.1

DescriptionCVE.org

A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

AnalysisAI

Stored XSS in Autodesk Fusion desktop application allows local attackers to execute arbitrary code or read local files through malicious component names displayed in delete confirmation dialogs. When a user clicks the crafted payload, the vulnerability escalates from XSS to potential local code execution within the application context. Vendor-released patches available for Windows and macOS. No public exploit identified at time of analysis, though the attack vector is local (CVSS:3.1/AV:L) requiring user interaction but no authentication (PR:N), with CVSS 7.1 reflecting high confidentiality and integrity impact.

Technical ContextAI

This vulnerability exploits improper neutralization of input during web page generation (CWE-79) within Autodesk Fusion's desktop application framework. The affected component is the delete confirmation dialog UI, which fails to sanitize HTML content in user-provided component names before rendering. As a desktop application, Fusion likely uses an embedded web view (Electron, CEF, or similar framework) for its interface. The stored XSS nature means the malicious payload persists in the application's data (component name field) and executes when the delete dialog is displayed. The escalation from typical XSS to local file access and code execution suggests the embedded browser context has elevated privileges or insufficient sandboxing, allowing JavaScript to break out of normal browser security boundaries and interact with the local file system or spawn processes. The CPE cpe:2.3:a:autodesk:fusion:*:*:*:*:*:*:*:* indicates all versions prior to patched releases are vulnerable.

RemediationAI

Update Autodesk Fusion to the latest patched version immediately using the official Fusion Client Downloader. Windows users should download and run the installer from https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe while macOS users should use https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg. The update process will replace vulnerable components with sanitized dialog rendering code. As an interim mitigation while testing patches, organizations should implement user awareness training about the risks of opening Fusion project files from untrusted sources and establish file provenance verification procedures. Consider restricting import of external Fusion projects to sandboxed environments until updates are applied. No workaround fully eliminates the vulnerability, making patching the primary remediation path. Verify successful update by checking the application version number against the advisory at https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005.

More in Fusion

View all
CVE-2017-5753 MEDIUM POC
5.6 Jan 04

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of

CVE-2016-5330 HIGH POC
7.8 Aug 08

Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t

CVE-2025-22226 HIGH
7.1 Mar 04

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi

CVE-2017-4901 CRITICAL POC
9.9 Jun 08

The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 ha

CVE-2020-3950 HIGH POC
7.8 Mar 17

VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for

CVE-2017-4924 HIGH POC
8.8 Sep 15

VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8

CVE-2013-1406 HIGH POC
7.2 Feb 11

The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and

CVE-2015-2194 MEDIUM POC
6.5 Mar 03

Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordp

CVE-2012-1666 MEDIUM POC
6.9 Sep 08

Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMwa

CVE-2017-4933 HIGH
8.8 Dec 20

VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a

CVE-2017-4905 MEDIUM POC
5.5 Jun 07

VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi

CVE-2017-4941 HIGH
8.8 Dec 20

VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8

Share

CVE-2026-4344 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy