CVE-2026-4369 PUBLISHED

Stored Cross-Site Scripting (XSS) Vulnerability in Assembly Variant Name

Assigner: autodesk
Reserved: 18.03.2026 Published: 14.04.2026 Updated: 14.04.2026

A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CVSS Score: 7.1

Attack Vector	Local	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Autodesk
Product	Fusion
Versions	Default: unaffected affected from 2606.0 to 2702.1.47 (excl.)

CVE-2026-4369 PUBLISHED

Stored Cross-Site Scripting (XSS) Vulnerability in Assembly Variant Name

Metrics

Product Status

References

Problem Types

Impacts