CVE-2026-4344
Published: 14 April 2026
Summary
CVE-2026-4344 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Autodesk Fusion. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Filters malicious HTML payloads in component names before displaying them in the delete confirmation dialog, directly preventing Stored XSS execution.
Validates and sanitizes inputs for component names to block malicious HTML payloads from being stored, preventing the root cause of the Stored XSS vulnerability.
Ensures timely remediation of the specific flaw through vendor patches provided in Autodesk security advisory ADSK-SA-2026-0005, eliminating the XSS vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Stored XSS in desktop client app directly enables T1203 (Exploitation for Client Execution) via arbitrary code execution in app context and T1005 (Data from Local System) via local file read capability.
NVD Description
A maliciously crafted HTML payload in a component name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage…
more
this vulnerability to read local files or execute arbitrary code in the context of the current process.
Deeper analysisAI
CVE-2026-4344 is a Stored Cross-site Scripting (XSS) vulnerability, classified under CWE-79, affecting the Autodesk Fusion desktop application. The issue arises when a maliciously crafted HTML payload is embedded in a component name, which is then displayed in the delete confirmation dialog. If a user clicks on this dialog, the payload triggers the XSS, with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).
An attacker with local access to the system can exploit this vulnerability without requiring privileges, though it demands low complexity and user interaction in the form of clicking the malicious dialog. Successful exploitation allows the attacker to read local files or execute arbitrary code within the context of the Autodesk Fusion desktop application process.
Autodesk has addressed the vulnerability in security advisory ADSK-SA-2026-0005, available at https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005. Updated installers for mitigation are provided for macOS (https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg) and Windows (https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe).
Details
- CWE(s)