CVE-2026-4345
Published: 14 April 2026
Summary
CVE-2026-4345 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Autodesk Fusion. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring timely application of vendor patches as provided in Autodesk's security advisory.
Filters malicious HTML payloads in design names during CSV export to prevent XSS execution.
Validates and sanitizes inputs such as design names to block embedding of malicious HTML payloads.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a client-side vulnerability in the Autodesk Fusion desktop application that can be exploited via a malicious file to achieve arbitrary code execution in the application process, directly enabling T1203 Exploitation for Client Execution.
NVD Description
A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or…
more
execute arbitrary code in the context of the current process.
Deeper analysisAI
CVE-2026-4345 is a Stored Cross-site Scripting (XSS) vulnerability (CWE-79) in the Autodesk Fusion desktop application. It arises when a maliciously crafted HTML payload is embedded in a design name and subsequently exported to CSV format, triggering the XSS execution. The vulnerability carries a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N), indicating high confidentiality and integrity impacts with low attack complexity but requiring local access and user interaction.
An attacker can exploit this by crafting a malicious design file with an HTML payload in its name and convincing a victim to open it in Autodesk Fusion and export it to CSV. No privileges are required on the target system (PR:N), but the victim must interact by performing the export (UI:R). Successful exploitation allows the attacker to read local files or execute arbitrary code within the context of the Fusion application process.
Autodesk has addressed the issue in security advisory ADSK-SA-2026-0005, with updated installers available for download: Fusion Client Downloader for macOS (.dmg) and Windows (.exe). Security practitioners should advise users to apply these patches promptly to mitigate the risk.
Details
- CWE(s)