Primary

Context

Trimble SketchUp Dynamic Components Cross-Site Scripting Vulnerability Allowing Remote Code Execution and File Exfiltration

Vulnerability

Patched

A cross-site scripting vulnerability has been identified in the Dynamic Components feature of Trimble SketchUp 2026, prior to version 2026.1.3. This vulnerability allows remote code execution and local file exfiltration through maliciously crafted SKP files. The issue arises from improper input sanitization in the component options window, which enables attackers to execute arbitrary system commands and access local files without user interaction by exploiting an embedded Internet Explorer 11 browser.

Impact

Exploitation of this vulnerability could lead to remote code execution via ActiveX and unauthorized access to local files.

Remediation

Users are advised to update SketchUp Desktop to version 2026.1.3 or later. This update will automatically include the patched version of the Dynamic Components extension.

Added: May 22, 2026, 2:20 AM

Updated: May 22, 2026, 2:20 AM

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

7.5

exploitability

4.2

remediation

7.7

relevance

8.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.8

impact

7.5

exploitability

4.2

remediation

7.7

relevance

8.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Trimble SketchUp Dynamic Components Cross-Site Scripting Vulnerability Allowing Remote Code Execution and File Exfiltration

Vulnerability

Impact

Remediation

Affected Products

Trimble SketchUp

Trimble Dynamic Components

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating