Cross-Site Scripting Vulnerability in SketchUp's Dynamic Components Feature
CVE-2026-9264

9.3CRITICAL

Key Information:

Vendor: Trimble
Status: Sketchup
Vendor: CVE Published:; 22 May 2026

What is CVE-2026-9264?

A cross-site scripting vulnerability exists in SketchUp 2026's Dynamic Components feature, allowing attackers to execute arbitrary system commands and access local files without user interaction. This security flaw arises from the improper sanitization of user input in the component options window, enabling the exploitation of an embedded Internet Explorer 11 browser when processing maliciously crafted SKP files. If successfully exploited, this vulnerability can lead to significant risks, including the execution of remote code and local file exfiltration.

Affected Version(s)

SketchUp 0 < 2026.1.3

References

https://trust.trimble.com/?tcuUid=52252bc0-c196-4b1f-9f13...

CVSS V3.1

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2026
Vulnerability Reserved
May 22, 2026

CVE-2026-9264 Data

JSON

Trimble

What is CVE-2026-9264?

Affected Version(s)

References

CVSS V3.1

Timeline