Cyber Resilience

CVE-2026-0534

HighUpdated

Published: 22 January 2026

Published
22 January 2026
Modified
03 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0047 37.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-0534 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Autodesk Fusion. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 37.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-0534 is a Stored Cross-site Scripting (XSS) vulnerability, mapped to CWE-79, in the Autodesk Fusion desktop application. Published on 2026-01-22, it carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N). The flaw occurs when a maliciously crafted HTML payload, stored in a part’s attribute, is clicked by a user, triggering the XSS execution.

Exploitation requires an attacker to deliver a malicious part file to a victim, who must then open it in Autodesk Fusion and click the affected attribute, necessitating local access and user interaction but no privileges. Successful attacks enable the malicious payload to read local files or execute arbitrary code in the context of the Autodesk Fusion process, resulting in high impacts to confidentiality and integrity.

Autodesk has addressed the vulnerability in security advisory ADSK-SA-2026-0001, providing updated installers for mitigation: Fusion Client Downloader.dmg for macOS and Fusion Client Downloader.exe for Windows.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A maliciously crafted HTML payload, stored in a part’s attribute and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files…

more

or execute arbitrary code in the context of the current process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
Why these techniques?

Stored XSS in desktop client app directly enables client-side code execution (T1203) after user opens and interacts with malicious file (T1204.002).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0533Same product: Autodesk Fusion
CVE-2026-0535Same product: Autodesk Fusion
CVE-2026-4369Same product: Autodesk Fusion
CVE-2026-4345Same product: Autodesk Fusion
CVE-2026-4344Same product: Autodesk Fusion
CVE-2025-1431Same vendor: Autodesk
CVE-2026-0536Same vendor: Autodesk
CVE-2025-1432Same vendor: Autodesk
CVE-2026-0661Same vendor: Autodesk
CVE-2025-1427Same vendor: Autodesk

Affected Assets

autodesk
fusion
≤ 2606.1.21

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Strict validation and sanitization of HTML content stored in part attributes would reject or neutralize the malicious payload before it can be rendered or executed.

prevent

Applying the vendor-supplied Fusion updates directly eliminates the stored-XSS flaw that permits arbitrary code execution or local file access.

preventdetect

Malicious-code protection mechanisms can block or alert on the JavaScript payload attempting to read files or run code within the Fusion process.

References