{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4369", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "state": "PUBLISHED", "assignerShortName": "autodesk", "dateReserved": "2026-03-18T08:19:07.639Z", "datePublished": "2026-04-14T13:47:01.968Z", "dateUpdated": "2026-04-14T14:52:05.768Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-04-14T13:48:16.573Z"}, "title": "Stored Cross-Site Scripting (XSS) Vulnerability in Assembly Variant Name", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79 Cross-Site Scripting (XSS) - Stored", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "affected": [{"vendor": "Autodesk", "product": "Fusion", "versions": [{"status": "affected", "version": "2606.0", "lessThan": "2702.1.47", "versionType": "custom"}], "defaultStatus": "unaffected", "cpes": ["cpe:2.3:a:autodesk:fusion:2606.0:*:*:*:*:*:*:*"]}], "descriptions": [{"lang": "en", "value": "A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process."}]}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005", "tags": ["vendor-advisory"]}, {"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe", "tags": ["patch"]}, {"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg", "tags": ["patch"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"}}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:51:57.366107Z", "id": "CVE-2026-4369", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:52:05.768Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4369", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T14:51:57.366107Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:52:01.014Z"}}], "cna": {"title": "Stored Cross-Site Scripting (XSS) Vulnerability in Assembly Variant Name", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:autodesk:fusion:2606.0:*:*:*:*:*:*:*"], "vendor": "Autodesk", "product": "Fusion", "versions": [{"status": "affected", "version": "2606.0", "lessThan": "2702.1.47", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005", "tags": ["vendor-advisory"]}, {"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe", "tags": ["patch"]}, {"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.", "supportingMedia": [{"type": "text/html", "value": "A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-Site Scripting (XSS) - Stored"}]}], "providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-04-14T13:48:16.573Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4369", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:52:05.768Z", "dateReserved": "2026-03-18T08:19:07.639Z", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "datePublished": "2026-04-14T13:47:01.968Z", "assignerShortName": "autodesk"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process."}], "id": "CVE-2026-4369", "lastModified": "2026-04-14T15:16:38.943", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "psirt@autodesk.com", "type": "Primary"}]}, "published": "2026-04-14T15:16:38.943", "references": [{"source": "psirt@autodesk.com", "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg"}, {"source": "psirt@autodesk.com", "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe"}, {"source": "psirt@autodesk.com", "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005"}], "sourceIdentifier": "psirt@autodesk.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@autodesk.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[2606.0,2702.1.47)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Fusion", "source": "cna", "vendor": "Autodesk"}, "product": "fusion", "vendor": "autodesk"}], "analysis": {"en": {"generated_at": "2026-04-14T15:51:53.373922+00:00", "value": {"mitigation_remediation": ["Verify the installed Autodesk Fusion version and determine whether newer releases are available that contain the fix.", "Install the latest Fusion update that addresses the XSS vulnerability and replace the affected program files.", "Confirm that the post\u2011update version number exceeds 2606.0 and monitor Autodesk security advisories for any additional patches or workarounds."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) in Autodesk Fusion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Autodesk Fusion desktop version 2606.0. Any installation that has not been updated beyond this version may run with the unpatched code, rendering users susceptible to the exploit.", "description_and_impact": "A maliciously crafted HTML payload can be embedded in an assembly variant name and will be displayed in the delete confirmation dialog of Autodesk Fusion. If the user clicks the dialog a stored XSS is triggered, allowing an attacker to read local files or execute arbitrary code within the Fusion process context.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.1, indicating moderate\u2011to\u2011high severity. Exploitation requires the victim to interact with the malicious confirmation dialog, but once triggered the impact on confidentiality and integrity is significant. EPSS data is unavailable and the issue is not listed in CISA\u2019s KEV catalog, yet the combination of a high CVSS, required user action, and the potential for arbitrary code execution presents a realistic risk in typical environments."}}}}, "created": "2026-04-14T16:15:31.341399+00:00", "updated": "2026-04-14T16:30:28.905788+00:00", "vendors": ["autodesk", "autodesk$PRODUCT$fusion"]}