CVE-2026-0534
Published: 22 January 2026
Summary
CVE-2026-0534 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Autodesk Fusion. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-0534 is a Stored Cross-site Scripting (XSS) vulnerability, mapped to CWE-79, in the Autodesk Fusion desktop application. Published on 2026-01-22, it carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). The flaw occurs when a maliciously crafted HTML payload, stored in a part’s attribute, is clicked by a user, triggering the XSS execution.
Exploitation requires an attacker to deliver a malicious part file to a victim, who must then open it in Autodesk Fusion and click the affected attribute, necessitating local access and user interaction but no privileges. Successful attacks enable the malicious payload to read local files or execute arbitrary code in the context of the Autodesk Fusion process, resulting in high impacts to confidentiality and integrity.
Autodesk has addressed the vulnerability in security advisory ADSK-SA-2026-0001, providing updated installers for mitigation: Fusion Client Downloader.dmg for macOS and Fusion Client Downloader.exe for Windows.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3897
Vulnerability details
A maliciously crafted HTML payload, stored in a part’s attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files…
more
or execute arbitrary code in the context of the current process.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in desktop client app directly enables client-side code execution (T1203) after user opens and interacts with malicious file (T1204.002).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Strict validation and sanitization of HTML content stored in part attributes would reject or neutralize the malicious payload before it can be rendered or executed.
Applying the vendor-supplied Fusion updates directly eliminates the stored-XSS flaw that permits arbitrary code execution or local file access.
Malicious-code protection mechanisms can block or alert on the JavaScript payload attempting to read files or run code within the Fusion process.