CVE 9.3 CRITICAL

Cross-Site Scripting in SketchUp Dynamic Components_CVE-2026-9264

May 22, 2026 invoker category_cve

9.3 / 10

CRITICAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.

AI Analysis

Cross-site scripting vulnerability in SketchUp's Dynamic Components feature allowing remote code execution and local file exfiltration

Basic Information

ID CVE-2026-9264

Source Bugcrowd

Published May 22, 2026 at 01:04

Modified May 22, 2026 at 15:52

Affected Product

Vendor Trimble

Product SketchUp

Version 2026

Affected Versions Trimble SketchUp 0

CWE Classification

CWE-94

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor Trimble

Product SketchUp

Version 2026

References

trust.trimble.com /

{
    "lastseen": "",
    "description": "A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.",
    "published": "2026-05-22T01:04:03.699Z",
    "modified": "2026-05-22T15:52:45.358Z",
    "type": "cve",
    "title": "Cross-Site Scripting in SketchUp Dynamic Components",
    "source": "Bugcrowd",
    "references": "https://trust.trimble.com/?tcuUid=52252bc0-c196-4b1f-9f13-4e4c9ba247d9",
    "id": "CVE-2026-9264",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "Trimble SketchUp 0",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "SketchUp",
    "version": "2026",
    "vendor": "Trimble",
    "ai_description": "Cross-site scripting vulnerability in SketchUp's Dynamic Components feature allowing remote code execution and local file exfiltration",
    "ai_severity": "Critical",
    "ai_vendor": "Trimble",
    "ai_product": "SketchUp",
    "ai_version": "2026",
    "ai_score": 9.3
}

💭 Join the Security Discussion ❌ Cancel Reply