Skip to main content

Fusion CVE-2026-4369

| EUVDEUVD-2026-22276 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-14 autodesk GHSA-mm54-xvph-7p9r
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 14:48 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 14:30 euvd
EUVD-2026-22276
Analysis Generated
Apr 14, 2026 - 14:30 vuln.today
Patch released
Apr 14, 2026 - 14:30 nvd
Patch available
CVE Published
Apr 14, 2026 - 13:47 nvd
HIGH 7.1

DescriptionCVE.org

A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

AnalysisAI

Stored cross-site scripting in Autodesk Fusion desktop application enables arbitrary code execution when malicious assembly variant names render in delete confirmation dialogs. Attackers can craft HTML payloads that execute in the application context, enabling local file access and code execution with user privileges (CVSS 7.1, local attack vector requiring user interaction). Vendor-released patch available via official Fusion client installers for Windows and macOS. No public exploit identified at time of analysis.

Technical ContextAI

This is a CWE-79 Stored XSS vulnerability affecting the Autodesk Fusion desktop application (CPE: cpe:2.3:a:autodesk:fusion). Unlike typical web-based XSS, this occurs in a desktop application context where assembly variant names-likely stored in project files or cloud-synced data-are rendered without proper HTML encoding in native UI dialog boxes. When the delete confirmation dialog displays the malicious variant name, the embedded HTML/JavaScript payload executes within the Electron or embedded browser component used by Fusion's interface. This bridges web exploitation techniques into desktop software, where JavaScript execution can access Node.js APIs or native file system capabilities depending on the application's security sandbox configuration. The stored nature means the payload persists in project data, affecting anyone who opens the malicious assembly.

RemediationAI

Update Autodesk Fusion to the latest version using the official client downloader released March 2026. Windows users should download and run the patched installer from https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe while macOS users should use https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg. The update process will install the version containing fixes for the XSS vulnerability in assembly variant name rendering. As a temporary mitigation until patching is complete, exercise caution when opening Fusion project files from untrusted sources and avoid deleting assembly variants in projects received from external parties without first verifying file integrity. Review Autodesk Security Advisory ADSK-SA-2026-0005 for additional guidance and version verification procedures.

More in Fusion

View all
CVE-2017-5753 MEDIUM POC
5.6 Jan 04

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of

CVE-2016-5330 HIGH POC
7.8 Aug 08

Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t

CVE-2025-22226 HIGH
7.1 Mar 04

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi

CVE-2017-4901 CRITICAL POC
9.9 Jun 08

The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 ha

CVE-2020-3950 HIGH POC
7.8 Mar 17

VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for

CVE-2017-4924 HIGH POC
8.8 Sep 15

VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8

CVE-2013-1406 HIGH POC
7.2 Feb 11

The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and

CVE-2015-2194 MEDIUM POC
6.5 Mar 03

Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordp

CVE-2012-1666 MEDIUM POC
6.9 Sep 08

Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMwa

CVE-2017-4933 HIGH
8.8 Dec 20

VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a

CVE-2017-4905 MEDIUM POC
5.5 Jun 07

VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi

CVE-2017-4941 HIGH
8.8 Dec 20

VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8

Share

CVE-2026-4369 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy