Platform
windows
Component
autodesk-fusion
Fixed in
2702.1.47
CVE-2026-4369 describes a Stored Cross-Site Scripting (XSS) vulnerability discovered in Autodesk Fusion. This vulnerability allows a malicious actor to inject a crafted HTML payload into an assembly variant name, which, when displayed in the delete confirmation dialog and clicked by a user, can trigger the XSS. Affected versions include those between 2606.0 and 2702.1.47, inclusive. A fix is available in version 2702.1.47.
Successful exploitation of CVE-2026-4369 could allow an attacker to execute arbitrary JavaScript code within the context of the user's Autodesk Fusion session. This could lead to various malicious actions, including the theft of sensitive data stored locally on the user's machine, such as project files or configuration settings. An attacker could also potentially leverage this vulnerability to gain control of the user's Autodesk Fusion account, allowing them to access and modify project data. The blast radius extends to any user who interacts with the delete confirmation dialog after being exposed to a malicious assembly variant name.
CVE-2026-4369 was publicly disclosed on 2026-04-14. Currently, there are no publicly available proof-of-concept exploits. The vulnerability is not listed on the CISA KEV catalog. The probability of exploitation is considered low given the lack of public exploits, but the potential impact warrants prompt remediation.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4369 is to upgrade to Autodesk Fusion version 2702.1.47 or later. Until the upgrade is possible, administrators should exercise caution when handling assembly variant names, particularly those received from untrusted sources. While a direct workaround is unavailable, implementing strict input validation on assembly variant names could reduce the attack surface. Consider temporarily disabling the delete confirmation dialog if feasible, although this may impact user workflow. After upgrading, confirm the vulnerability is resolved by attempting to trigger the delete confirmation dialog with a known malicious payload.
Actualice Autodesk Fusion a la versión 2702.1.47 o posterior para mitigar la vulnerabilidad de XSS. La actualización parchea la forma en que se manejan los nombres de variantes de ensamblaje, evitando la ejecución de scripts maliciosos. Descargue la última versión desde el sitio web oficial de Autodesk.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4369 is a Stored Cross-Site Scripting (XSS) vulnerability in Autodesk Fusion versions 2606.0 through 2702.1.47. A malicious HTML payload can be injected through an assembly variant name, potentially leading to code execution.
You are affected if you are using Autodesk Fusion versions 2606.0 to 2702.1.47 and interact with the delete confirmation dialog.
Upgrade to Autodesk Fusion version 2702.1.47 or later to resolve the vulnerability.
Currently, there are no publicly known active exploits for CVE-2026-4369, but prompt remediation is still recommended.
Refer to the official Autodesk security advisory for CVE-2026-4369 on the Autodesk Trust and Security website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.