{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0533", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "state": "PUBLISHED", "assignerShortName": "autodesk", "dateReserved": "2025-12-19T18:57:06.177Z", "datePublished": "2026-01-22T16:58:43.084Z", "dateUpdated": "2026-02-26T14:44:31.809Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:autodesk:fusion:2603.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "Fusion", "vendor": "Autodesk", "versions": [{"lessThan": "2606.1.21", "status": "affected", "version": "2603.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process."}], "value": "A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-Site Scripting (XSS) - Stored", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-02-03T18:17:16.141Z"}, "references": [{"tags": ["patch"], "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe"}, {"tags": ["patch"], "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg"}, {"tags": ["vendor-advisory"], "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored XSS in Fusion desktop when attempting to delete a file", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0533", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T04:55:30.529662Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:31.809Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0533", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T04:55:30.529662Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-25T16:27:37.752Z"}}], "cna": {"title": "Stored XSS in Fusion desktop when attempting to delete a file", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:autodesk:fusion:2603.0:*:*:*:*:*:*:*"], "vendor": "Autodesk", "product": "Fusion", "versions": [{"status": "affected", "version": "2603.0", "lessThan": "2606.1.21", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe", "tags": ["patch"]}, {"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg", "tags": ["patch"]}, {"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.", "supportingMedia": [{"type": "text/html", "value": "A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-Site Scripting (XSS) - Stored"}]}], "providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-02-03T18:17:16.141Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0533", "state": "PUBLISHED", "dateUpdated": "2026-02-25T16:34:32.003Z", "dateReserved": "2025-12-19T18:57:06.177Z", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "datePublished": "2026-01-22T16:58:43.084Z", "assignerShortName": "autodesk"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:autodesk:fusion:*:*:*:*:*:*:*:*", "matchCriteriaId": "00476C10-FCC9-4EDD-AE74-95A8E99806B9", "versionEndExcluding": "2606.1.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process."}], "id": "CVE-2026-0533", "lastModified": "2026-01-30T17:07:29.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "psirt@autodesk.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-22T17:16:28.937", "references": [{"source": "psirt@autodesk.com", "tags": ["Product"], "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg"}, {"source": "psirt@autodesk.com", "tags": ["Product"], "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe"}, {"source": "psirt@autodesk.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001"}], "sourceIdentifier": "psirt@autodesk.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@autodesk.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T03:40:20.287327+00:00", "value": {"mitigation_remediation": ["Apply the latest Autodesk Fusion desktop update that contains the XSS fix.", "Avoid opening or installing design files from untrusted sources, and be cautious of unusually named files before deleting them.", "Where possible, disable or restrict HTML script rendering in the Fusion UI or enforce strict input validation of design names to eliminate the reflected XSS vector."], "summary": {"action": "Immediate Patch", "impact": "Stored cross\u2011site scripting enabling local code execution or file read"}, "threat_synthesis": {"affected_systems": "All installations of Autodesk Fusion desktop, including the 2603.0 release and earlier unreleased builds that have not yet been patched. The vulnerability affects any version that presents the design name in the delete\u2011confirmation dialog without proper sanitization.", "description_and_impact": "The flaw is a stored XSS in Autodesk Fusion desktop\u2019s delete\u2011confirmation dialog. A maliciously crafted HTML fragment embedded in a design name is rendered when the dialog appears, and clicking the confirmation button causes the browser\u2011like component to execute the injected script. The injected code can read local files or run arbitrary commands in the context of the Fusion process, thus providing an attacker with code execution privileges on the affected machine. This weakness is a classic example of CWE\u201179, where unsanitized user\u2011controlled input is executed as code.", "risk_and_exploitability": "The CVSS score of 7.1 reflects a moderate\u2011to\u2011high risk when the flaw is exploited. The EPSS score is below 1\u202f%, indicating a low likelihood of exploitation at the current time, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is logical; an attacker who can create or modify a design\u2019s name in the local filesystem can embed the malicious payload. Exploitation requires the victim to have access to the machine and to interact with the delete confirmation dialog, so it is a local\u2011user\u2011privileged threat rather than a remote one. Proper code execution or file access follows directly from the injection, making the impact severe for a legitimate local user."}}}}, "created": "2026-01-23T10:27:23.704691+00:00", "updated": "2026-04-18T03:45:21.075805+00:00", "vendors": ["autodesk", "autodesk$PRODUCT$fusion"]}