Plattform
windows
Komponente
autodesk-fusion
Behoben in
2702.1.47
CVE-2026-4369 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in Autodesk Fusion. This vulnerability arises when a maliciously crafted HTML payload, embedded within an assembly variant name, is displayed during the delete confirmation dialog and subsequently clicked by a user. The impact is the potential for an attacker to execute arbitrary code or read local files within the context of the current process.
Successful exploitation of CVE-2026-4369 allows an attacker to inject malicious scripts into the Autodesk Fusion application. These scripts could be used to steal sensitive information stored locally on the user's machine, such as credentials or configuration files. More critically, the attacker could potentially execute arbitrary code with the same privileges as the user running Fusion, enabling lateral movement within the network or further compromise of the system. While the vulnerability requires user interaction (clicking the confirmation dialog), the social engineering potential is significant, particularly in environments where users are accustomed to deleting files regularly.
CVE-2026-4369 was publicly disclosed on 2026-04-14. There are currently no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog as of this writing. The CVSS score of 7.1 (HIGH) indicates a significant risk, and the potential for exploitation should be taken seriously.
Users of Autodesk Fusion who are actively working with assembly variants and relying on the delete confirmation dialog are at risk. This includes engineers, designers, and project managers who frequently manage and delete project assets within the application. Shared hosting environments where multiple users access the same Fusion installation may amplify the risk.
• windows / supply-chain:
Get-WinEvent -LogName Application -FilterXPath "/Event[System[Provider[@Name='Microsoft-Windows-PowerShell'] and (EventID=4688)] and EventData[Data[@Name='Command Line'] and contains(., 'Fusion.exe')]]"• windows / supply-chain:
Get-Process -Name Fusion | Select-Object -ExpandProperty Path• generic web: Inspect the delete confirmation dialog for unexpected HTML or JavaScript code.
disclosure
Exploit-Status
EPSS
0.02% (6% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-4369 is to upgrade Autodesk Fusion to version 2702.1.47 or later, which contains the fix. If immediate upgrading is not possible, consider implementing stricter input validation on assembly variant names to prevent the injection of malicious HTML. While a direct workaround is not available, monitoring user activity and educating users about the risks of clicking suspicious confirmation dialogs can help reduce the attack surface. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious payload and verifying that it is no longer exploitable.
Actualice Autodesk Fusion a la versión 2702.1.47 o posterior para mitigar la vulnerabilidad de XSS. La actualización parchea la forma en que se manejan los nombres de variantes de ensamblaje, evitando la ejecución de scripts maliciosos. Descargue la última versión desde el sitio web oficial de Autodesk.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4369 is a Stored Cross-Site Scripting (XSS) vulnerability in Autodesk Fusion versions 2606.0 through 2702.1.47. A malicious HTML payload can be injected through an assembly variant name, potentially leading to code execution.
You are affected if you are using Autodesk Fusion versions 2606.0 to 2702.1.47 and interact with the delete confirmation dialog.
Upgrade to Autodesk Fusion version 2702.1.47 or later to resolve the vulnerability.
Currently, there are no publicly known active exploits for CVE-2026-4369, but prompt remediation is still recommended.
Refer to the official Autodesk security advisory for CVE-2026-4369 on the Autodesk Trust and Security website.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.