Stored Cross-site Scripting Vulnerability in Autodesk Fusion by Autodesk
CVE-2026-4369

7.1HIGH

Key Information:

Vendor

Autodesk
Status
Fusion
Vendor
CVE Published:
14 April 2026

What is CVE-2026-4369?

A maliciously crafted HTML payload can be displayed during the delete confirmation dialog in the Autodesk Fusion desktop application. If a user clicks on this payload, it can trigger a Stored Cross-site Scripting (XSS) vulnerability, allowing a malicious actor to read local files or execute arbitrary code within the current process. It is crucial for users to be aware of this risk and to apply the recommended patches from Autodesk to safeguard their systems.

Affected Version(s)

Fusion 2606.0 < 2702.1.47

References

https://www.autodesk.com/trust/security-advisories/adsk-s...
vendor-advisory
https://dl.appstreaming.autodesk.com/production/installer...
patch
https://dl.appstreaming.autodesk.com/production/installer...
patch

CVSS V3.1

Score:
7.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.