{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/autodesk-fusion/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-4345"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Autodesk Fusion"],"_cs_severities":["medium"],"_cs_tags":["xss","autodesk","cve-2026-4345","application"],"_cs_type":"advisory","_cs_vendors":["Autodesk"],"content_html":"\u003cp\u003eA stored cross-site scripting (XSS) vulnerability, identified as CVE-2026-4345, affects the Autodesk Fusion desktop application. The vulnerability arises from the application's handling of design names. Specifically, a malicious actor can inject a crafted HTML payload into a design name. When this design name is exported to a CSV file, the payload is triggered. Successful exploitation of this vulnerability could enable an attacker to read local files or execute arbitrary code within the context of the current user's process. This can lead to a compromise of confidentiality and integrity. The vulnerability poses a risk to users who routinely export design data to CSV format.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTML payload designed to execute arbitrary JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker opens an Autodesk Fusion design and renames it using the crafted HTML payload as the new design name.\u003c/li\u003e\n\u003cli\u003eThe malicious design name is saved within the Autodesk Fusion project file.\u003c/li\u003e\n\u003cli\u003eThe user exports the designs within Autodesk Fusion, including the renamed design, into a CSV file.\u003c/li\u003e\n\u003cli\u003eThe CSV file is opened by a user with a program that renders HTML, such as Microsoft Excel or a web browser.\u003c/li\u003e\n\u003cli\u003eThe crafted HTML payload within the design name is executed as the application renders the CSV file, triggering the XSS vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to execute arbitrary code in the context of the application.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the executed code to read local files or execute commands on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the stored XSS vulnerability (CVE-2026-4345) in Autodesk Fusion allows an attacker to execute arbitrary code within the application context. This could lead to the theft of sensitive information by reading local files, or further compromise of the system through arbitrary code execution. While the specific number of affected users is not available, the vulnerability's presence in a widely used application like Autodesk Fusion means a successful exploit could have a significant impact across various engineering and design sectors.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for instances of applications like Microsoft Excel or web browsers executing commands from unusual locations that may indicate CSV files containing malicious payloads (see Sigma rule: \u0026quot;Detect CSV File Executing Commands\u0026quot;).\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures for design names to prevent the injection of HTML or other potentially harmful code within Autodesk Fusion.\u003c/li\u003e\n\u003cli\u003eEducate users about the risks of opening CSV files from untrusted sources and the potential for embedded malicious content.\u003c/li\u003e\n\u003cli\u003eMonitor for file creations related to CSV exports, particularly those containing suspicious script tags or encoded commands (see Sigma rule: \u0026quot;Detect Suspicious CSV Export with Script Tags\u0026quot;).\u003c/li\u003e\n\u003cli\u003eApply future patches released by Autodesk to address CVE-2026-4345 as soon as they become available.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-02-29T12:00:00Z","date_published":"2024-02-29T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2026-04-autodesk-fusion-xss/","summary":"A stored cross-site scripting (XSS) vulnerability exists in the Autodesk Fusion desktop application, where a maliciously crafted HTML payload stored in a design name and exported to CSV can be triggered, potentially leading to local file reads or arbitrary code execution.","title":"Autodesk Fusion Stored XSS Vulnerability via Maliciously Crafted Design Name","url":"https://feed.craftedsignal.io/briefs/2026-04-autodesk-fusion-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Autodesk Fusion","version":"https://jsonfeed.org/version/1.1"}