{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4344", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "state": "PUBLISHED", "assignerShortName": "autodesk", "dateReserved": "2026-03-17T15:57:23.974Z", "datePublished": "2026-04-14T13:56:56.801Z", "dateUpdated": "2026-04-14T15:07:02.979Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-04-14T13:56:56.801Z"}, "title": "Stored Cross-Site Scripting (XSS) Vulnerability in Assembly Component Name", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Cross-Site Scripting (XSS) - Stored", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "affected": [{"vendor": "Autodesk", "product": "Fusion", "versions": [{"status": "affected", "version": "2606.0", "lessThan": "2702.1.47", "versionType": "custom"}], "defaultStatus": "unaffected", "cpes": ["cpe:2.3:a:autodesk:fusion:2606.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process."}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005", "tags": ["vendor-advisory"]}, {"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe", "tags": ["patch"]}, {"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:06:56.123380Z", "id": "CVE-2026-4344", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:07:02.979Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4344", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T15:06:56.123380Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:06:58.811Z"}}], "cna": {"title": "Stored Cross-Site Scripting (XSS) Vulnerability in Assembly Component Name", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:autodesk:fusion:2606.0:*:*:*:*:*:*:*"], "vendor": "Autodesk", "product": "Fusion", "versions": [{"status": "affected", "version": "2606.0", "lessThan": "2702.1.47", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005", "tags": ["vendor-advisory"]}, {"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe", "tags": ["patch"]}, {"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.", "supportingMedia": [{"type": "text/html", "value": "A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-Site Scripting (XSS) - Stored"}]}], "providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-04-14T13:56:56.801Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4344", "state": "PUBLISHED", "dateUpdated": "2026-04-14T15:07:02.979Z", "dateReserved": "2026-03-17T15:57:23.974Z", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "datePublished": "2026-04-14T13:56:56.801Z", "assignerShortName": "autodesk"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process."}], "id": "CVE-2026-4344", "lastModified": "2026-04-14T15:16:38.467", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "psirt@autodesk.com", "type": "Primary"}]}, "published": "2026-04-14T15:16:38.467", "references": [{"source": "psirt@autodesk.com", "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg"}, {"source": "psirt@autodesk.com", "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe"}, {"source": "psirt@autodesk.com", "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005"}], "sourceIdentifier": "psirt@autodesk.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@autodesk.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2606.0,2702.1.47)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Fusion", "source": "cna", "vendor": "Autodesk"}, "product": "fusion", "vendor": "autodesk"}], "analysis": {"en": {"generated_at": "2026-04-14T15:51:04.207105+00:00", "value": {"mitigation_remediation": ["Check Autodesk\u2019s website for an updated Fusion installer or patch; upgrade to the latest version when available.", "If no patch is immediately available, delete or rename any component names that contain unexpected HTML or script fragments to prevent the dialog from rendering malicious content.", "If Fusion offers a setting to disable embedded web\u2011view or script rendering, enable it until a vendor repair is released.", "Monitor Fusion logs and user activity for unusual delete\u2011confirmation dialogs or script execution events."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting that may enable local file reads or code execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Autodesk Fusion desktop versions, with the current CPE indicating impact on 2606.0. Any installation of this release that allows component names to contain arbitrary HTML is at risk.", "description_and_impact": "A maliciously crafted HTML payload can be stored within a component name and then shown in the Fusion desktop application's delete\u2011confirmation dialog; clicking the link triggers a stored cross\u2011site scripting event. The attacker can read local files or execute arbitrary code within the context of the running Fusion process, a flaw classified as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 7.1 signals a high severity. Exploitation requires a user to interact with the malicious link presented in the confirmation dialog, so user action is mandatory. The EPSS score is not available, and the vulnerability is not listed in CISA\u2019s KEV catalog, suggesting limited public exploitation data at present. If successfully exploited, the attacker gains code execution privileges equivalent to the Fusion process, potentially allowing local file disclosure or broader compromise."}}}}, "created": "2026-04-14T16:15:29.244813+00:00", "updated": "2026-04-14T16:30:26.754908+00:00", "vendors": ["autodesk", "autodesk$PRODUCT$fusion"]}