Plattform
windows
Komponente
autodesk-fusion
Behoben in
2702.1.47
CVE-2026-4344 describes a Stored Cross-Site Scripting (XSS) vulnerability within Autodesk Fusion. This vulnerability arises when a maliciously crafted HTML payload, embedded within a component name, is displayed during the delete confirmation dialog and subsequently clicked by a user. The impact can range from local file access to arbitrary code execution, posing a significant security risk.
An attacker could exploit this XSS vulnerability to inject malicious scripts into the Autodesk Fusion application. When a user interacts with the delete confirmation dialog containing the crafted payload, the script executes in the context of the user's session. This allows the attacker to potentially read sensitive local files, steal credentials, or even execute arbitrary code on the user's machine. The blast radius extends to any user who clicks the malicious confirmation dialog, making it a widespread concern within organizations utilizing Autodesk Fusion.
CVE-2026-4344 was publicly disclosed on 2026-04-14. As of this writing, there are no publicly available proof-of-concept exploits. The vulnerability is not currently listed on CISA KEV. The probability of exploitation is considered medium, given the ease of crafting a malicious payload and the potential impact.
Users of Autodesk Fusion who rely on the delete confirmation dialog for managing components are at risk. Specifically, organizations with legacy Fusion deployments (versions 2606.0–2702.1.47) and those with users who frequently interact with component deletion processes are particularly vulnerable. Shared hosting environments where multiple users share the same Fusion installation could also amplify the impact of this vulnerability.
• windows / supply-chain:
Get-WinEvent -LogName Application -Filter "EventID = 1001 and Message -match 'Autodesk Fusion'"• windows / supply-chain:
Get-Process -Name Fusion | Select-Object -ExpandProperty Path• generic web: Inspect network traffic for requests to Fusion endpoints containing unusual HTML or JavaScript code in component names. • generic web: Review Fusion application logs for errors or warnings related to HTML parsing or rendering.
disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-4344 is to upgrade Autodesk Fusion to version 2702.1.47 or later, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing strict input validation on component names to prevent the injection of malicious HTML. While a WAF might offer some protection, it's unlikely to be effective against this type of XSS, as the payload is embedded within the application itself. After upgrading, verify the fix by attempting to trigger the delete confirmation dialog with a known malicious payload and confirming that the script is not executed.
Actualice Autodesk Fusion a la versión 2702.1.47 o posterior para mitigar la vulnerabilidad de XSS. Descargue la última versión desde el sitio web oficial de Autodesk o a través de los canales de actualización de la aplicación. Esta actualización corrige la forma en que se manejan los nombres de componentes, evitando la ejecución de scripts maliciosos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4344 is a Stored Cross-Site Scripting (XSS) vulnerability in Autodesk Fusion versions 2606.0–2702.1.47, allowing malicious code execution via a crafted HTML payload in a component name.
You are affected if you are using Autodesk Fusion versions 2606.0 through 2702.1.47 and have not yet upgraded to a patched version.
Upgrade to Autodesk Fusion version 2702.1.47 or later to resolve this XSS vulnerability. Consider temporary workarounds if immediate upgrading is not possible.
There is currently no indication of active exploitation campaigns targeting CVE-2026-4344, but the vulnerability remains a potential risk.
Refer to the official Autodesk security advisory for detailed information and updates regarding CVE-2026-4344: [https://www.autodesk.com/support/security-advisories]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.