Skip to main content

Fusion EUVDEUVD-2026-22274

| CVE-2026-4345 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-14 autodesk GHSA-96vp-26rc-8483
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:22 vuln.today
cvss_changed
Analysis Generated
Apr 14, 2026 - 14:47 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 14:30 euvd
EUVD-2026-22274
Analysis Generated
Apr 14, 2026 - 14:30 vuln.today
Patch released
Apr 14, 2026 - 14:30 nvd
Patch available
CVE Published
Apr 14, 2026 - 13:56 nvd
HIGH 7.1

DescriptionCVE.org

A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

AnalysisAI

Stored cross-site scripting (XSS) in Autodesk Fusion desktop application allows local attackers to execute arbitrary code or read local files by crafting malicious HTML payloads in design names that trigger when exported to CSV format. The vulnerability requires no authentication but depends on user interaction (opening the exported CSV). Vendor patch available via updated client installers for Windows and macOS. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code identified at time of analysis.

Technical ContextAI

This is a Stored XSS vulnerability (CWE-79) affecting the Autodesk Fusion desktop application (CPE: cpe:2.3:a:autodesk:fusion). Unlike typical web-based XSS, this occurs in a desktop application context where HTML payloads embedded in design metadata (specifically design names) are not properly sanitized during CSV export operations. When a user opens the exported CSV file, the malicious script executes within the application's rendering engine or associated file handler. The local attack vector (AV:L) indicates exploitation requires the attacker to have local access or social engineer a victim into importing a malicious design file. The vulnerability's severity stems from the desktop application's elevated privileges compared to browser sandboxes, enabling filesystem access and code execution in the process context rather than being confined to typical web XSS limitations.

RemediationAI

Vendor-released patch available via updated Fusion client installers. Windows users should download and install the patched version from https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe while macOS users should use https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg. Consult the official Autodesk security advisory at https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005 for detailed remediation instructions and specific fixed version numbers. As an interim mitigation, organizations should educate users to avoid opening design files or exported CSV data from untrusted sources, and implement application control policies to prevent execution of unexpected scripts from CSV file handlers until patches are deployed.

More in Fusion

View all
CVE-2017-5753 MEDIUM POC
5.6 Jan 04

Systems with microprocessors utilizing speculative execution and branch prediction may allow unauthorized disclosure of

CVE-2016-5330 HIGH POC
7.8 Aug 08

Untrusted search path vulnerability in the HGFS (aka Shared Folders) feature in VMware Tools 10.0.5 in VMware ESXi 5.0 t

CVE-2025-22226 HIGH
7.1 Mar 04

VMware ESXi, Workstation, and Fusion contain an information disclosure vulnerability via HGFS out-of-bounds read, allowi

CVE-2017-4901 CRITICAL POC
9.9 Jun 08

The drag-and-drop (DnD) function in VMware Workstation 12.x before version 12.5.4 and Fusion 8.x before version 8.5.5 ha

CVE-2020-3950 HIGH POC
7.8 Mar 17

VMware Fusion (11.x before 11.5.2), VMware Remote Console for Mac (11.x and prior before 11.0.1) and Horizon Client for

CVE-2017-4924 HIGH POC
8.8 Sep 15

VMware ESXi (ESXi 6.5 without patch ESXi650-201707101-SG), Workstation (12.x before 12.5.7) and Fusion (8.x before 8.5.8

CVE-2013-1406 HIGH POC
7.2 Feb 11

The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and

CVE-2015-2194 MEDIUM POC
6.5 Mar 03

Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordp

CVE-2012-1666 MEDIUM POC
6.9 Sep 08

Untrusted search path vulnerability in VMware Tools in VMware Workstation before 8.0.4, VMware Player before 4.0.4, VMwa

CVE-2017-4933 HIGH
8.8 Dec 20

VMware ESXi (6.5 before ESXi650-201710401-BG), Workstation (12.x before 12.5.8), and Fusion (8.x before 8.5.9) contain a

CVE-2017-4905 MEDIUM POC
5.5 Jun 07

VMware ESXi 6.5 without patch ESXi650-201703410-SG, 6.0 U3 without patch ESXi600-201703401-SG, 6.0 U2 without patch ESXi

CVE-2017-4941 HIGH
8.8 Dec 20

VMware ESXi (6.0 before ESXi600-201711101-SG, 5.5 ESXi550-201709101-SG), Workstation (12.x before 12.5.8), and Fusion (8

Share

EUVD-2026-22274 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy