EUVD-2026-22276
GHSA-mm54-xvph-7p9r
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionNVD
A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
AnalysisAI
Stored cross-site scripting in Autodesk Fusion desktop application enables arbitrary code execution when malicious assembly variant names render in delete confirmation dialogs. Attackers can craft HTML payloads that execute in the application context, enabling local file access and code execution with user privileges (CVSS 7.1, local attack vector requiring user interaction). …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all Autodesk Fusion installations across engineering and design teams; notify users to avoid deleting assembly variants from untrusted sources. Within 7 days: Deploy vendor-released patch via official Fusion client installers to all Windows and macOS systems running Fusion; verify installation completion through client version reporting. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today