Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
6DescriptionCVE.org
A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
AnalysisAI
Stored cross-site scripting in Autodesk Fusion desktop application enables arbitrary code execution when malicious assembly variant names render in delete confirmation dialogs. Attackers can craft HTML payloads that execute in the application context, enabling local file access and code execution with user privileges (CVSS 7.1, local attack vector requiring user interaction). Vendor-released patch available via official Fusion client installers for Windows and macOS. No public exploit identified at time of analysis.
Technical ContextAI
This is a CWE-79 Stored XSS vulnerability affecting the Autodesk Fusion desktop application (CPE: cpe:2.3:a:autodesk:fusion). Unlike typical web-based XSS, this occurs in a desktop application context where assembly variant names-likely stored in project files or cloud-synced data-are rendered without proper HTML encoding in native UI dialog boxes. When the delete confirmation dialog displays the malicious variant name, the embedded HTML/JavaScript payload executes within the Electron or embedded browser component used by Fusion's interface. This bridges web exploitation techniques into desktop software, where JavaScript execution can access Node.js APIs or native file system capabilities depending on the application's security sandbox configuration. The stored nature means the payload persists in project data, affecting anyone who opens the malicious assembly.
RemediationAI
Update Autodesk Fusion to the latest version using the official client downloader released March 2026. Windows users should download and run the patched installer from https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe while macOS users should use https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg. The update process will install the version containing fixes for the XSS vulnerability in assembly variant name rendering. As a temporary mitigation until patching is complete, exercise caution when opening Fusion project files from untrusted sources and avoid deleting assembly variants in projects received from external parties without first verifying file integrity. Review Autodesk Security Advisory ADSK-SA-2026-0005 for additional guidance and version verification procedures.
Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of
Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t
VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi
The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 ha
VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for
VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8
The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and
Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordp
Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMwa
VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a
VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi
VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22276
GHSA-mm54-xvph-7p9r