CVE-2026-9264

Vulnerability

A cross-site scripting (XSS) vulnerability exists in the Dynamic Components feature of SketchUp 2026. Improper input sanitization in the component options window allows attackers to inject arbitrary script code. This affects SketchUp Desktop versions prior to 2026.1.3 and Dynamic Components extension versions prior to 1.8.5. The vulnerability is triggered when a user opens a specially crafted SketchUp (.skp) file [1].

Exploitation

An attacker must create a malicious .skp file containing the XSS payload and convince a user to open it in a vulnerable SketchUp installation. When the user accesses the Dynamic Components options window, the payload executes within an embedded Internet Explorer 11 browser. This enables ActiveX controls to be invoked, allowing arbitrary system command execution and local file reading without additional user interaction [1].

Impact

Successful exploitation leads to remote code execution (RCE) via ActiveX on Windows and local file exfiltration. An attacker can execute arbitrary commands with the privileges of the user running SketchUp, potentially compromising the entire system. The attack requires only that the user opens the malicious file [1].

Mitigation

Update SketchUp Desktop to version 2026.1.3 or later, which automatically includes the patched Dynamic Components extension version 1.8.5. No workarounds are available for unpatched versions [1].