Plattform
windows
Komponente
autodesk-fusion
Behoben in
2702.1.47
CVE-2026-4345 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in Autodesk Fusion. This vulnerability allows a malicious actor to inject a crafted HTML payload into a design name, which is then exported to a CSV file. When the CSV file is opened, the payload can be executed, potentially leading to unauthorized access or control. The vulnerability affects versions 2606.0 through 2702.1.47, and a patch is available in version 2702.1.47.
The impact of this XSS vulnerability is significant. An attacker could leverage the injected HTML payload to execute arbitrary JavaScript code within the context of the current user's session. This could allow them to read sensitive local files, steal credentials, or even execute arbitrary code on the affected system. The attack vector involves crafting a malicious design name, exporting it to CSV, and then tricking a user into opening the CSV file. Successful exploitation could lead to complete compromise of the user's Autodesk Fusion environment and potentially access to other resources on their network, depending on user privileges and network configuration.
This vulnerability was publicly disclosed on 2026-04-14. Currently, there are no known active campaigns exploiting this specific vulnerability. No public proof-of-concept (POC) code has been released, but the nature of XSS vulnerabilities makes it likely that a POC will emerge. The vulnerability is not currently listed on the CISA KEV catalog.
Organizations and individuals using Autodesk Fusion for design and engineering are at risk. Specifically, users who regularly export designs to CSV format and share those files with others are particularly vulnerable. Shared hosting environments where multiple users access the same Fusion installation could also amplify the risk, as a compromised user could potentially affect other users on the same system.
• windows / supply-chain:
Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='Fusion.Desktop.App']] and EventID=1234]" -ErrorAction SilentlyContinue• windows / supply-chain:
Get-Process -Name Fusion.Desktop.App -ErrorAction SilentlyContinue | Select-Object -ExpandProperty CommandLine• generic web: Inspect CSV files exported from Autodesk Fusion for suspicious HTML tags (e.g., <script>, <iframe>) within design names.
disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-4345 is to upgrade to Autodesk Fusion version 2702.1.47 or later, which includes the fix for this vulnerability. If immediate upgrading is not possible, consider restricting user access to design files and implementing strict file validation procedures. Educate users about the risks of opening CSV files from untrusted sources. While a WAF is unlikely to directly mitigate this vulnerability, it could help detect and block suspicious CSV file uploads. After upgrading, confirm the fix by attempting to export a design with a specially crafted name containing HTML tags and verifying that the tags are not executed when the CSV is opened.
Actualice Autodesk Fusion a la versión 2702.1.47 o posterior para mitigar la vulnerabilidad de XSS. La actualización parchea la forma en que se manejan los nombres de diseño exportados a CSV, previniendo la ejecución de código malicioso. Consulte la página de avisos de seguridad de Autodesk para obtener más detalles e instrucciones de descarga.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4345 is a Cross-Site Scripting (XSS) vulnerability in Autodesk Fusion, allowing malicious code execution via a crafted HTML payload in a CSV export.
You are affected if you are using Autodesk Fusion versions 2606.0 through 2702.1.47.
Upgrade to Autodesk Fusion version 2702.1.47 or later to resolve the vulnerability.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation.
Refer to the official Autodesk security advisory for detailed information and updates: [https://www.autodesk.com/support/security-advisories]
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.