{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0535", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "state": "PUBLISHED", "assignerShortName": "autodesk", "dateReserved": "2025-12-19T18:57:21.548Z", "datePublished": "2026-01-22T16:59:34.236Z", "dateUpdated": "2026-02-26T14:44:31.213Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:autodesk:fusion:2603.0:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "Fusion", "vendor": "Autodesk", "versions": [{"lessThan": "2606.1.21", "status": "affected", "version": "2603.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A maliciously crafted HTML payload, stored in a component\u2019s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.<br><br>"}], "value": "A maliciously crafted HTML payload, stored in a component\u2019s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Cross-Site Scripting (XSS) - Stored", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-02-03T17:35:07.834Z"}, "references": [{"tags": ["patch"], "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe"}, {"tags": ["patch"], "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg"}, {"tags": ["vendor-advisory"], "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001"}], "source": {"discovery": "EXTERNAL"}, "title": "Stored XSS in Electronic Library Component Description", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0535", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T04:55:28.433748Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T14:44:31.213Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0535", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-23T04:55:28.433748Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-22T18:24:45.533Z"}}], "cna": {"title": "Stored XSS in Electronic Library Component Description", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:autodesk:fusion:2603.0:*:*:*:*:*:*:*"], "vendor": "Autodesk", "product": "Fusion", "versions": [{"status": "affected", "version": "2603.0", "lessThan": "2606.1.21", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe", "tags": ["patch"]}, {"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg", "tags": ["patch"]}, {"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A maliciously crafted HTML payload, stored in a component\u2019s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.", "supportingMedia": [{"type": "text/html", "value": "A maliciously crafted HTML payload, stored in a component\u2019s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.<br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Cross-Site Scripting (XSS) - Stored"}]}], "providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-02-03T17:35:07.834Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0535", "state": "PUBLISHED", "dateUpdated": "2026-02-26T14:44:31.213Z", "dateReserved": "2025-12-19T18:57:21.548Z", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "datePublished": "2026-01-22T16:59:34.236Z", "assignerShortName": "autodesk"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:autodesk:fusion:*:*:*:*:*:*:*:*", "matchCriteriaId": "00476C10-FCC9-4EDD-AE74-95A8E99806B9", "versionEndExcluding": "2606.1.21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A maliciously crafted HTML payload, stored in a component\u2019s description and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process."}], "id": "CVE-2026-0535", "lastModified": "2026-01-30T17:07:49.633", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "psirt@autodesk.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-22T17:16:30.260", "references": [{"source": "psirt@autodesk.com", "tags": ["Product"], "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg"}, {"source": "psirt@autodesk.com", "tags": ["Product"], "url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe"}, {"source": "psirt@autodesk.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001"}], "sourceIdentifier": "psirt@autodesk.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "psirt@autodesk.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T03:39:27.525359+00:00", "value": {"mitigation_remediation": ["Upgrade Autodesk Fusion to the latest release that includes the fix for the stored XSS issue.", "If an immediate upgrade is not feasible, disable or remove the electronic library component to prevent users from clicking malicious descriptions.", "Educate users to avoid interacting with unknown or suspicious content in component descriptions and to verify the source of any scripts they encounter."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The flaw targets Autodesk Fusion desktop versions up to at least 2603.0, as indicated by the product identifiers and CPE entries for Autodesk Fusion. The affected vendors are Autodesk; specific product name is Fusion.", "description_and_impact": "A maliciously crafted HTML payload can be stored in the description of an electronic library component and executed when a user interacts with that description, leading to a Stored Cross\u2011Site Scripting flaw that may allow reading local files or running arbitrary code inside the Fusion desktop process. The vulnerability arises from inadequate sanitization of user\u2011supplied content (CWE-79) and permits both information disclosure and execution of code with the privileges of the running user.", "risk_and_exploitability": "The CVSS score of 7.1 indicates moderate\u2011to\u2011high severity, and the EPSS score of less than 1% suggests current industrial exploitation probability is low but not negligible. The vulnerability is not listed in the CISA KEV catalog, but its potential to execute code in the user\u2019s session makes it a significant risk. The likely attack path involves a malicious actor inserting a crafted description, which a user subsequently clicks, triggering the stored XSS in the Fusion client."}}}}, "created": "2026-01-23T10:27:16.830725+00:00", "updated": "2026-04-18T03:45:21.074690+00:00", "vendors": ["autodesk", "autodesk$PRODUCT$fusion"]}