Cyber Resilience

CVE-2026-4345

High

Published: 14 April 2026

Published
14 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0002 7.0th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4345 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Autodesk Fusion. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 7.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-4345 is a Stored Cross-site Scripting (XSS) vulnerability (CWE-79) in the Autodesk Fusion desktop application. It arises when a maliciously crafted HTML payload is embedded in a design name and subsequently exported to CSV format, triggering the XSS execution. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with low attack complexity but requiring local access and user interaction.

An attacker can exploit this by crafting a malicious design file with an HTML payload in its name and convincing a victim to open it in Autodesk Fusion and export it to CSV. No privileges are required on the target system (PR:N), but the victim must interact by performing the export (UI:R). Successful exploitation allows the attacker to read local files or execute arbitrary code within the context of the Fusion application process.

Autodesk has addressed the issue in security advisory ADSK-SA-2026-0005, with updated installers available for download: Fusion Client Downloader for macOS (.dmg) and Windows (.exe). Security practitioners should advise users to apply these patches promptly to mitigate the risk.

EU & UK References

Vulnerability details

A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or…

more

execute arbitrary code in the context of the current process.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The CVE describes a client-side vulnerability in the Autodesk Fusion desktop application that can be exploited via a malicious file to achieve arbitrary code execution in the application process, directly enabling T1203 Exploitation for Client Execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-4369Same product: Autodesk Fusion
CVE-2026-0534Same product: Autodesk Fusion
CVE-2026-0533Same product: Autodesk Fusion
CVE-2026-4344Same product: Autodesk Fusion
CVE-2026-0535Same product: Autodesk Fusion
CVE-2026-0538Same vendor: Autodesk
CVE-2026-7451Same vendor: Autodesk
CVE-2025-1428Same vendor: Autodesk
CVE-2026-0875Same vendor: Autodesk
CVE-2025-1431Same vendor: Autodesk

Affected Assets

autodesk
fusion
≤ 2702.1.47

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely application of vendor patches as provided in Autodesk's security advisory.

prevent

Filters malicious HTML payloads in design names during CSV export to prevent XSS execution.

prevent

Validates and sanitizes inputs such as design names to block embedding of malicious HTML payloads.

References