CVE-2026-4345 HIGH

CVE-2026-4345: Stored Cross-Site Scripting (XSS) Vulnerability in Design Name

Vendor Autodesk

Product Fusion

Weakness CWE-79 · XSS

Published April 14, 2026

Last update April 15, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Local

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A maliciously crafted HTML payload, stored in a design name and exported to CSV, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

Key dates

02Disclosure timeline

April 14, 2026 CVE published

April 15, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-4345 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2024-13564 Rife Elementor Extensions & Templates <= 1.2.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Writing Effect Headline Shortcode CVE-2022-3441 Rock Convert < 2.11.0 - Admin+ Stored Cross-Site Scripting CVE-2026-33113 Microsoft SharePoint Server Spoofing Vulnerability CVE-2026-6073 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitLab CVE-2024-43216 WordPress Filr plugin <= 1.2.4 - Cross Site Scripting (XSS) vulnerability