CVE-2026-4369 HIGH

CVE-2026-4369: Stored Cross-Site Scripting (XSS) Vulnerability in Assembly Variant Name

Vendor Autodesk
Product Fusion
Weakness CWE-79 · XSS
Published April 14, 2026
Last update April 15, 2026
View on NVD All CVEs

CVSS base score

7.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

Key dates

02Disclosure timeline

April 14, 2026 CVE published
April 15, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-10184 SW Kick Integration - Blocks and Shortcodes for Embedding Kick Streams <= 1.1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via sw-kick-embed Shortcode CVE-2023-4887 Google Maps Plugin by Intergeo <= 2.3.2 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode CVE-2022-2093 WP Duplicate Page < 1.3 - Admin+ Stored Cross Site Scripting CVE-2024-36189 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79) CVE-2024-24907