CVE-2026-4345 PUBLISHED

Stored Cross-Site Scripting (XSS) Vulnerability in Design Name

Assigner: autodesk
Reserved: 17.03.2026 Published: 14.04.2026 Updated: 14.04.2026

A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS Score: 7.1

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Autodesk
Product	Fusion
Versions	Default: unaffected affected from 2606.0 to 2702.1.47 (excl.)

References

https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005
https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe
https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg

Problem Types

CWE-79 Cross-Site Scripting (XSS) - Stored CWE

Impacts

CAPEC-592 Stored XSS