CVE-2026-0533 – A stored cross-site scripting vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2026-0533?

CVE-2026-0533 has a CVSS score of 7.1 (HIGH). A stored cross-site scripting vulnerability in Autodesk Fusion allows attackers to inject malicious HTML into design names. When users view the delete confirmation dialog and interact with it, this can lead to arbitrary code execution or local file access. All users running vulnerable versions of Autodesk Fusion desktop application are affected.

📋 TL;DR

A stored cross-site scripting vulnerability in Autodesk Fusion allows attackers to inject malicious HTML into design names. When users view the delete confirmation dialog and interact with it, this can lead to arbitrary code execution or local file access. All users running vulnerable versions of Autodesk Fusion desktop application are affected.

💻 Affected Systems

Products:

Autodesk Fusion

Versions: Specific vulnerable versions not specified in CVE, but pre-patch versions are affected

Operating Systems: Windows, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires user interaction (clicking on malicious content in delete confirmation dialog)

📦 What is this software?

Fusion by Autodesk

View all CVEs affecting Fusion →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Autodesk Fusion process, allowing attackers to read sensitive local files, execute arbitrary code with user privileges, and potentially pivot to other systems.

🟠

Likely Case

Session hijacking, credential theft, or limited file access through malicious JavaScript execution in the application context.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially reduced to UI manipulation without code execution.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires social engineering to get user to interact with malicious design name in delete dialog

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version with fix referenced in ADSK-SA-2026-0001

Vendor Advisory: https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001

Restart Required: Yes

Instructions:

1. Open Autodesk Fusion 2. Check for updates in application settings 3. Download and install latest version 4. Restart application

🔧 Temporary Workarounds

Avoid suspicious design names

all

Do not open or delete designs with suspicious HTML-like names

🧯 If You Can't Patch

Restrict user permissions to limit file access capabilities
Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check if current Autodesk Fusion version matches vulnerable versions listed in vendor advisory

Check Version:

In Autodesk Fusion: Help → About Fusion 360

Verify Fix Applied:

Verify installation of patched version from vendor advisory and test with safe XSS payload

📡 Detection & Monitoring

Log Indicators:

Unusual file access patterns from Fusion process
Multiple delete operations with unusual design names

Network Indicators:

Outbound connections from Fusion to unexpected destinations

SIEM Query:

Process: 'Fusion.exe' AND (FileAccess: 'sensitive' OR NetworkConnection: 'suspicious')

📊 Metadata

CVE ID: CVE-2026-0533

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE: CWE-79

EPSS Score: 0.03% exploit probability (9.4th percentile)

Published: January 22, 2026

Last Updated: January 30, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-0533, you might also want to check these: