Cyber Posture

CVE-2026-4369

High

Published: 14 April 2026

Published
14 April 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0003 10.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4369 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Autodesk Fusion. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-15 (Information Output Filtering) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-15 Information Output Filtering good match
prevent

Information output filtering directly prevents the execution of malicious HTML payloads embedded in assembly variant names when rendered in the delete confirmation dialog.

SI-10 Information Input Validation partial match
prevent

Information input validation restricts malicious HTML from being stored in assembly variant names, addressing the stored aspect of the XSS vulnerability.

SI-2 Flaw Remediation good match
prevent

Flaw remediation ensures timely application of Autodesk's security updates to patch the Stored XSS vulnerability in the Fusion desktop application.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
Why these techniques?

Stored XSS in desktop client app (Autodesk Fusion) allows arbitrary code execution and local file access via crafted file and user interaction with dialog, directly enabling client-side exploitation for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may…

more

leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

Deeper analysisAI

CVE-2026-4369 is a Stored Cross-site Scripting (XSS) vulnerability, mapped to CWE-79, in the Autodesk Fusion desktop application. The flaw occurs when a maliciously crafted HTML payload is embedded in an assembly variant name and displayed within the delete confirmation dialog. User interaction, specifically clicking the payload, triggers the XSS execution.

An attacker with local access can exploit this vulnerability with low complexity and no required privileges, though it demands user interaction. Successful exploitation enables the attacker to read local files or execute arbitrary code in the context of the Autodesk Fusion process, resulting in high confidentiality and integrity impacts but no availability disruption, per the CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

Autodesk has issued security advisory ADSK-SA-2026-0005 addressing the vulnerability. Updated Fusion Client Downloader installers are available for download, including the macOS version (.dmg) and Windows version (.exe).

Details

CWE(s)
CWE-79

Affected Products

autodesk
fusion
≤ 2702.1.47

CVEs Like This One

CVE-2026-4345Same product: Autodesk Fusion
CVE-2026-4344Same product: Autodesk Fusion
CVE-2026-0534Same product: Autodesk Fusion
CVE-2026-0533Same product: Autodesk Fusion
CVE-2026-0535Same product: Autodesk Fusion
CVE-2026-0538Same vendor: Autodesk
CVE-2025-1430Same vendor: Autodesk
CVE-2025-1427Same vendor: Autodesk
CVE-2025-1650Same vendor: Autodesk
CVE-2026-0660Same vendor: Autodesk

References