CVE-2026-9264 - Vulnerability Details

- Cross-Site Scripting in SketchUp Dynamic Components

Description

A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.

Published: 2026-05-22

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A cross‑site scripting flaw exists in SketchUp 2026’s Dynamic Components feature that allows a maliciously crafted SKP file to embed JavaScript which is executed through an embedded Internet Explorer 11 browser. The vulnerability arises from improper input sanitization in the component options window. When a user opens such a file, the embedded script can run arbitrary system commands and read local files, effectively providing the attacker with remote code execution and local data exfiltration capabilities, all without the user needing to interact beyond opening the file.

Affected Systems

Trimble’s SketchUp 2026 product (the Dynamic Components feature). The issue affects any installation that includes this module.

Risk and Exploitability

The CVSS score for this vulnerability is 9.3, indicating high severity, while the EPSS score of < 1% suggests a low likelihood of exploitation. The vulnerability is not currently included in the CISA KEV catalog, suggesting that no widespread exploits are documented. Attackers would need to supply a malicious SKP file and entice a user to open it; no remote network access is required. Because the flaw allows execution of arbitrary system commands and local file reads, the potential impact on confidentiality, integrity, and availability is high for any affected system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Trimble

SketchUp

unaffected

Version	Status	Constraints
`0`	affected	< 2026.1.3

No data.

Vendor Product Confidence Versions

Trimble

Sketchup

90%

Version	Status	Scheme	Platform
`[0,2026.1.3)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest SketchUp release from Trimble, which removes the vulnerable code path and implements proper input sanitization for Dynamic Components.
Run SketchUp under a non‑administrator user account to constrain the privileges that an exploitation could leverage.
Implement file‑level controls or digital‑signature checks to prevent the opening of untrusted SKP files, or otherwise restrict the import of dynamic components from external sources.
If the application permits configuration, disable or sandbox the embedded Internet Explorer 11 component to eliminate the execution environment for the injected script.

Generated by OpenCVE AI on May 22, 2026 at 19:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00044.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://trust.trimble.com/?tcuUid=52252bc0-c196-4b1f-9f13-4e4c9ba247d9

History

Fri, 22 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-79

Fri, 22 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-94
Metrics		cvssV3_1 `{'score': 9.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Fri, 22 May 2026 03:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-79

Fri, 22 May 2026 01:30:00 +0000

Type	Values Removed	Values Added
Description		A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.
Title		Cross-Site Scripting in SketchUp Dynamic Components
First Time appeared		Trimble Trimble sketchup
CPEs		cpe:2.3:a:trimble:sketchup::::::::
Vendors & Products		Trimble Trimble sketchup
References		https://trust.trimble.com/?tcuUid=52252bc0-c196-4b1f-9f13-4e4c9ba247d9

Subscriptions

Trimble Sketchup

MITRE

Status: PUBLISHED

Assigner: Bugcrowd

Published: 2026-05-22T01:04:03.699Z

Updated: 2026-05-22T15:52:45.358Z

Reserved: 2026-05-22T00:57:32.121Z

Link: CVE-2026-9264

Vulnrichment

Updated: 2026-05-22T15:49:55.552Z

NVD

Status : Received

Published: 2026-05-22T02:16:35.073

Modified: 2026-05-22T02:16:35.073

Link: CVE-2026-9264

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-22T19:30:44Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object