CVE-2026-4344
Stored XSS in Autodesk Fusion Delete Confirmation Enables Code Execution
Publication date: 2026-04-14
Last updated on: 2026-04-22
Assigner: Autodesk
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| autodesk | fusion | to 2702.1.47 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Stored Cross-site Scripting (XSS) issue in the Autodesk Fusion desktop application. It occurs when a maliciously crafted HTML payload is placed in a component name. When this component name is displayed during the delete confirmation dialog and clicked by a user, the malicious code is triggered.
This allows an attacker to execute arbitrary code or read local files within the context of the current process.
How can this vulnerability impact me? :
The vulnerability can allow a malicious actor to execute arbitrary code or read local files on your system through the Autodesk Fusion application.
- Execution of arbitrary code could lead to unauthorized actions being performed on your system.
- Reading local files could expose sensitive information stored on your device.
- Since the attack requires user interaction (clicking the malicious component name), it may be exploited through social engineering.