SB20260414109 - Multiple stored XSS vulnerabilities in Autodesk Fusion

Security Bulletin ID SB20260414109

Severity

Low

Patch available

YES

Number of vulnerabilities 3

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2026-4369)

The vulnerability allows a remote user to perform XSS attacks.

The vulnerability exists due to cross-site scripting in the assembly variant name handling in the delete confirmation dialog when displaying and clicking a maliciously crafted HTML payload. A remote user can supply a crafted assembly variant name and perform an XSS attack.

2) Stored cross-site scripting (CVE-ID: CVE-2026-4344)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data when displayed during the delete confirmation dialog. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

3) Stored cross-site scripting (CVE-ID: CVE-2026-4345)

The disclosed vulnerability allows a remote user to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in a design name. A remote user can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Remediation

Install update from vendor's website.

References

https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0005