CVE-2026-10789 | A maliciously crafted webpage, when visited by a user with A… | CVSS 9.6 CRITICAL

Description

A maliciously crafted webpage, when visited by a user with Autodesk Fusion Desktop running and the MCP extension enabled, can trigger a vulnerability in the MCP extension that could allow arbitrary code execution. A successful exploit may allow code to execute with the privileges of the current user.

Metadata

CVE ID: CVE-2026-10789
State: PUBLISHED
Assigner: autodesk
Reserved: 2026-06-03 19:23 UTC
Published: 2026-06-22 17:15 UTC
Last updated: 2026-06-22 17:25 UTC
Primary CWE: CWE-94
CWE-94 Improper Control of Generation of Code ('Code Injecti…
Vendor / Product: Autodesk / Fusion
Sources: cve.org · NVD

Severity & Metrics

9.6 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: no
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Autodesk	Fusion	—	2703.1.11 < 2703.1.20

Weakness (CWE)

CWE	Source	Description
CWE-94	cna	CWE-94 Improper Control of Generation of Code ('Code Injection')

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.6	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

References (3)