Platform
windows
Component
autodesk-fusion
Fixed in
2702.1.47
CVE-2026-4344 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in Autodesk Fusion. This vulnerability arises when a maliciously crafted HTML payload within a component name is displayed during the delete confirmation dialog and subsequently clicked by a user. Successful exploitation could lead to unauthorized access and execution of code within the application’s context, impacting user data and system integrity. The vulnerability affects versions 2606.0 through 2702.1.47, and a fix is available in version 2702.1.47.
An attacker could exploit this XSS vulnerability to execute arbitrary JavaScript code within the context of the user's Autodesk Fusion session. This could allow them to steal sensitive information, such as user credentials or project data, or even manipulate the application's functionality. The attacker could potentially read local files accessible to the Fusion process, expanding the scope of potential data compromise. While the immediate blast radius is limited to users interacting with the delete confirmation dialog, successful exploitation could lead to broader system compromise if the user has elevated privileges or access to sensitive resources. This vulnerability highlights the importance of proper input validation and output encoding to prevent XSS attacks.
CVE-2026-4344 was publicly disclosed on 2026-04-14. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (POC) code has been released. The vulnerability has not been added to the CISA KEV catalog at the time of writing. The CVSS score of 7.1 (HIGH) indicates a significant potential for exploitation if left unaddressed.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4344 is to upgrade to Autodesk Fusion version 2702.1.47 or later, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing temporary workarounds such as restricting user access to the delete confirmation dialog or disabling the functionality entirely. Additionally, review and strengthen input validation routines within the application to prevent the injection of malicious HTML payloads. Monitor network traffic for suspicious activity related to the Fusion application, particularly requests containing unusual HTML content. After upgrading, confirm the fix by attempting to trigger the delete confirmation dialog with a known malicious payload and verifying that the script is not executed.
Actualice Autodesk Fusion a la versión 2702.1.47 o posterior para mitigar la vulnerabilidad de XSS. Descargue la última versión desde el sitio web oficial de Autodesk o a través de los canales de actualización de la aplicación. Esta actualización corrige la forma en que se manejan los nombres de componentes, evitando la ejecución de scripts maliciosos.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4344 is a Stored Cross-Site Scripting (XSS) vulnerability in Autodesk Fusion versions 2606.0–2702.1.47, allowing malicious code execution via a crafted HTML payload in a component name.
You are affected if you are using Autodesk Fusion versions 2606.0 through 2702.1.47 and have not yet upgraded to a patched version.
Upgrade to Autodesk Fusion version 2702.1.47 or later to resolve this XSS vulnerability. Consider temporary workarounds if immediate upgrading is not possible.
There is currently no indication of active exploitation campaigns targeting CVE-2026-4344, but the vulnerability remains a potential risk.
Refer to the official Autodesk security advisory for detailed information and updates regarding CVE-2026-4344: [https://www.autodesk.com/support/security-advisories]
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.