Vulnerability Description
A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.
References
FAQ
What is CVE-2026-9264?
CVE-2026-9264 is a documented vulnerability. A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerabili...
How severe is CVE-2026-9264?
CVSS scoring is not yet available for CVE-2026-9264. Check NVD for updates.
Is there a patch for CVE-2026-9264?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.