CVE-2026-9264

Name of the Vulnerable Software and Affected Versions SketchUp 2026

Description A cross-site scripting (XSS) issue in the Dynamic Components feature allows remote code execution and local file exfiltration via maliciously crafted SKP files. The flaw is caused by improper input sanitization in the component options window, which enables attackers to execute arbitrary system commands and read local files without user interaction by exploiting an embedded Internet Explorer 11 browser.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.