CVE-2026-4345

HIGH 7.1

Stored Cross-Site Scripting (XSS) Vulnerability in Design Name

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

CWE	CWE-79
Vendor	autodesk
Product	fusion
Published	Apr 14, 2026
Last Updated	Apr 15, 2026

Stay Ahead of the Next One

Get instant alerts for autodesk fusion

Be the first to know when new high vulnerabilities affecting autodesk fusion are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Affected Versions

Autodesk / Fusion

2606.0 < 2702.1.47

References

NVD ↗ CVE.org ↗ EPSS Data ↗

autodesk.com: https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005 dl.appstreaming.autodesk.com: https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe dl.appstreaming.autodesk.com: https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg