216.73.216.223

CVE-2026-9264

· Published 22/05/2026 02:16 · Modified 22/05/2026 02:16

Labels: CVE-2026-9264 2026-05-224ac701fe-44e9-4bcd-9585-dd6449257611CVE-2026-9264

Essential information

Published
22/05/2026 02:16
Modified
22/05/2026 02:16
Author
Creator
CISA KEV
No
CWE

Description

A cross-site scripting (XSS) vulnerability in SketchUp 2026's Dynamic Components feature allows remote code execution and local file exfiltration through maliciously crafted SKP files. The vulnerability stems from improper input sanitization in the component options window, enabling attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
4ac701fe-44e9-4bcd-9585-dd6449257611
NVD
View on NVD

Affected products (CPE)

ProductCPE
sketchup / sketchup cpe:2.3:a:sketchup:sketchup:2026:*:*:*:*:*:*:*

References