Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
AnalysisAI
Stored XSS in Autodesk Fusion desktop application allows local attackers to execute arbitrary code or read local files through malicious component names displayed in delete confirmation dialogs. When a user clicks the crafted payload, the vulnerability escalates from XSS to potential local code execution within the application context. Vendor-released patches available for Windows and macOS. No public exploit identified at time of analysis, though the attack vector is local (CVSS:3.1/AV:L) requiring user interaction but no authentication (PR:N), with CVSS 7.1 reflecting high confidentiality and integrity impact.
Technical ContextAI
This vulnerability exploits improper neutralization of input during web page generation (CWE-79) within Autodesk Fusion's desktop application framework. The affected component is the delete confirmation dialog UI, which fails to sanitize HTML content in user-provided component names before rendering. As a desktop application, Fusion likely uses an embedded web view (Electron, CEF, or similar framework) for its interface. The stored XSS nature means the malicious payload persists in the application's data (component name field) and executes when the delete dialog is displayed. The escalation from typical XSS to local file access and code execution suggests the embedded browser context has elevated privileges or insufficient sandboxing, allowing JavaScript to break out of normal browser security boundaries and interact with the local file system or spawn processes. The CPE cpe:2.3:a:autodesk:fusion:*:*:*:*:*:*:*:* indicates all versions prior to patched releases are vulnerable.
RemediationAI
Update Autodesk Fusion to the latest patched version immediately using the official Fusion Client Downloader. Windows users should download and run the installer from https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe while macOS users should use https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg. The update process will replace vulnerable components with sanitized dialog rendering code. As an interim mitigation while testing patches, organizations should implement user awareness training about the risks of opening Fusion project files from untrusted sources and establish file provenance verification procedures. Consider restricting import of external Fusion projects to sandboxed environments until updates are applied. No workaround fully eliminates the vulnerability, making patching the primary remediation path. Verify successful update by checking the application version number against the advisory at https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005.
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of
Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi
The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 ha
VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for
VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8
The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and
Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordp
Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMwa
VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a
VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi
VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22273
GHSA-355c-p2wf-x6ff