7.1 HIGH
- CVSS version: 3.1
- Attack vector (AV): LOCAL
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): HIGH
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Stored XSS in Fusion desktop when attempting to delete a file
A maliciously crafted HTML payload in a design name, when displayed during the delete confirmation dialog and clicked by a user, can trigger a Stored Cross-site Scripting (XSS) vulnerability in the Autodesk Fusion desktop application. A malicious actor may leverage this vulnerability to read local files or execute arbitrary code in the context of the current process.
References
- https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Do… patch
- https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Do… patch
- https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 vendor-advisory
- https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Do… patch
- https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Do… patch
- https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 vendor-advisory
- https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Do… patch
- https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Do… patch
- https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 vendor-advisory
- https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Do… patch
- https://dl.appstreaming.autodesk.com/production/installers/Fusion%20Client%20Do… patch
- https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0001 vendor-advisory
Affected products
- <2606.1.21
- <2606.1.22
Matching in nixpkgs
pkgs.datafusion-cli
cli for Apache Arrow DataFusion
pkgs.lxgw-fusionkai
Simplified Chinese font derived from LXGW WenKai GB, iansui and Klee One
pkgs.fusionInventory
FusionInventory unified Agent for UNIX, Linux, Windows and MacOSX
pkgs.finalfusion-utils
Utility for converting, quantizing, and querying word embeddings
pkgs.python312Packages.datafusion
Extensible query execution framework
pkgs.python313Packages.datafusion
Extensible query execution framework
pkgs.haskellPackages.fusion-plugin
GHC plugin to make stream fusion more predictable
pkgs.python312Packages.finalfusion
Python module for using finalfusion, word2vec, and fastText word embeddings
pkgs.python312Packages.k-diffusion
Karras et al. (2022) diffusion models for PyTorch
-
nixos-unstable 0.1.1.post1
- nixpkgs-unstable 0.1.1.post1
- nixos-unstable-small 0.1.1.post1
pkgs.python313Packages.finalfusion
Python module for using finalfusion, word2vec, and fastText word embeddings
pkgs.python313Packages.k-diffusion
Karras et al. (2022) diffusion models for PyTorch
-
nixos-unstable 0.1.1.post1
- nixpkgs-unstable 0.1.1.post1
- nixos-unstable-small 0.1.1.post1
pkgs.haskellPackages.gogol-datafusion
Google Cloud Data Fusion SDK
pkgs.haskellPackages.list-fusion-probe
testing list fusion for success
pkgs.haskellPackages.gogol-fusiontables
Google Fusion Tables SDK
pkgs.haskellPackages.fusion-plugin-types
Types for the fusion-plugin package
pkgs.pkgsRocm.python3Packages.k-diffusion
Karras et al. (2022) diffusion models for PyTorch
-
nixos-unstable 0.1.1.post1
- nixpkgs-unstable 0.1.1.post1
- nixos-unstable-small 0.1.1.post1
Package maintainers
-
@happysalada Raphael Megzari <raphael@megzari.com>
-
@phile314 Philipp Hausmann <nix@314.ch>
-
@hellodword hellodword
-
@cpcloud Phillip Cloud
-
@Mic92 Jörg Thalheim <joerg@thalheim.io>