{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0662", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "state": "PUBLISHED", "assignerShortName": "autodesk", "dateReserved": "2026-01-06T19:58:25.162Z", "datePublished": "2026-02-04T16:28:31.980Z", "dateUpdated": "2026-02-26T15:04:19.038Z"}, "containers": {"cna": {"affected": [{"cpes": ["cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*"], "defaultStatus": "unaffected", "product": "3ds Max", "vendor": "Autodesk", "versions": [{"lessThan": "2026.3.2", "status": "affected", "version": "2026", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized."}], "value": "A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized."}], "impacts": [{"capecId": "CAPEC-471", "descriptions": [{"lang": "en", "value": "CAPEC-471: Search Order Hijacking"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-426", "description": "CWE-426 Untrusted Search Path", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-02-04T16:28:31.980Z"}, "references": [{"tags": ["patch"], "url": "https://www.autodesk.com/products/autodesk-access/overview"}, {"tags": ["vendor-advisory"], "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002"}], "source": {"discovery": "EXTERNAL"}, "title": "Untrusted Search Path Vulnerability when opening max Files", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0662", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T04:55:24.821645Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T15:04:19.038Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0662", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-04T16:49:58.151153Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-04T16:50:37.226Z"}}], "cna": {"title": "Untrusted Search Path Vulnerability when opening max Files", "source": {"discovery": "EXTERNAL"}, "impacts": [{"capecId": "CAPEC-471", "descriptions": [{"lang": "en", "value": "CAPEC-471: Search Order Hijacking"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"cpes": ["cpe:2.3:a:autodesk:3ds_max:2026:*:*:*:*:*:*:*"], "vendor": "Autodesk", "product": "3ds Max", "versions": [{"status": "affected", "version": "2026", "lessThan": "2026.3.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.autodesk.com/products/autodesk-access/overview", "tags": ["patch"]}, {"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized.", "supportingMedia": [{"type": "text/html", "value": "A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-426", "description": "CWE-426 Untrusted Search Path"}]}], "providerMetadata": {"orgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "shortName": "autodesk", "dateUpdated": "2026-02-04T16:28:31.980Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0662", "state": "PUBLISHED", "dateUpdated": "2026-02-06T04:55:24.319Z", "dateReserved": "2026-01-06T19:58:25.162Z", "assignerOrgId": "7e40ea87-bc65-4944-9723-dd79dd760601", "datePublished": "2026-02-04T16:28:31.980Z", "assignerShortName": "autodesk"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:autodesk:3ds_max:*:*:*:*:*:*:*:*", "matchCriteriaId": "CF0B2FEF-FF28-4FF2-91CF-B417FB77CF04", "versionEndExcluding": "2026.3.2", "versionStartIncluding": "2026", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized."}], "id": "CVE-2026-0662", "lastModified": "2026-02-06T14:45:33.330", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "psirt@autodesk.com", "type": "Primary"}]}, "published": "2026-02-04T17:16:13.100", "references": [{"source": "psirt@autodesk.com", "tags": ["Product"], "url": "https://www.autodesk.com/products/autodesk-access/overview"}, {"source": "psirt@autodesk.com", "tags": ["Vendor Advisory"], "url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002"}], "sourceIdentifier": "psirt@autodesk.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-426"}], "source": "psirt@autodesk.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T23:26:40.497601+00:00", "value": {"mitigation_remediation": ["Apply the Autodesk 3ds Max security update provided in Security Advisory ADK\u20112026\u20110002.", "Ensure that directories referenced in project files are fully trusted and do not contain potentially malicious executables.", "Verify that the system PATH used by 3ds Max does not include untrusted or writable directories that could be used for loading executables."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Autodesk 3ds Max, specifically version 2026 as indicated in the referenced CPEs. Earlier releases may also be impacted if they employ similar loading mechanisms; however, only 2026 is explicitly noted.", "description_and_impact": "A maliciously crafted project directory can trick Autodesk 3ds Max into executing code when a .max file is opened. The vulnerability arises from an untrusted search path that permits the program to load executables from directories controlled by the project, enabling arbitrary code to run with the same privileges as the user. This flaw is categorized as CWE\u2011426.", "risk_and_exploitability": "The CVSS score of 7.8 reflects high severity, while the EPSS score of less than 1% indicates very low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Attacks would require a user to open a malicious .max file or otherwise supply a crafted project directory; thus the vector is expected to be local or user\u2011initiated without remote code execution from a network source."}}}}, "created": "2026-04-17T23:30:15.917883+00:00", "updated": "2026-04-17T23:30:15.917895+00:00", "vendors": []}