Platform
windows
Component
autodesk-fusion
Fixed in
2702.1.47
CVE-2026-4345 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in Autodesk Fusion. This vulnerability allows a malicious actor to inject a crafted HTML payload into a design name, which is then exported to a CSV file. When the CSV file is opened, the payload can be executed, potentially leading to unauthorized access or control. The vulnerability affects versions 2606.0 through 2702.1.47, and a patch is available in version 2702.1.47.
The impact of this XSS vulnerability is significant. An attacker could leverage the injected HTML payload to execute arbitrary JavaScript code within the context of the user's session. This could allow them to read sensitive local files, steal credentials, or even execute arbitrary code on the user's machine. The attack vector involves crafting a malicious design name, exporting it to CSV, and then tricking a user into opening the CSV file. The successful exploitation of this vulnerability could lead to a compromise of the user's system and potentially the network they are connected to, depending on the user's privileges and the system's configuration.
CVE-2026-4345 was publicly disclosed on 2026-04-14. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a POC will emerge. The CVSS score of 7.1 (HIGH) indicates a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
The primary mitigation for CVE-2026-4345 is to upgrade to Autodesk Fusion version 2702.1.47 or later, which contains the fix for this vulnerability. If upgrading immediately is not possible, consider restricting user access to design files and implementing strict file validation procedures. Educate users about the risks of opening CSV files from untrusted sources. While a WAF or proxy cannot directly prevent this XSS, it can be configured to inspect CSV file contents for suspicious HTML tags and block potentially malicious files. After upgrading, confirm the fix by attempting to export a design with a known malicious payload and verifying that the payload is not executed when the CSV file is opened.
Update Autodesk Fusion to version 2702.1.47 or later to mitigate the XSS vulnerability. The update patches how design names exported to CSV are handled, preventing the execution of malicious code. See the Autodesk security advisories page for more details and download instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4345 is a Cross-Site Scripting (XSS) vulnerability in Autodesk Fusion, allowing malicious code execution via a crafted HTML payload in a CSV export.
You are affected if you are using Autodesk Fusion versions 2606.0 through 2702.1.47.
Upgrade to Autodesk Fusion version 2702.1.47 or later to resolve the vulnerability.
While no active exploitation has been confirmed, the vulnerability's nature suggests a potential for exploitation.
Refer to the official Autodesk security advisory for detailed information and updates: [https://www.autodesk.com/support/security-advisories]
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.