Home / Security updates / Sketchup Security Advisory: Cross-Site Scripting in SketchUp Dynamic Components
Sketchup Security Advisory: Cross-Site Scripting in SketchUp Dynamic Components
Security updates detail rendered from /security-updates/upd_10e3bea2d01a9fa4.
Overview
| ID | upd_10e3bea2d01a9fa4 |
| Collection | Security Updates |
| Provider | SafeBase |
| Company | Trimble |
| URL | - |
| Counts | - |
| Updated | - |
Raw record
| Field | Value |
|---|---|
| id | upd_10e3bea2d01a9fa4 |
| providerId | safebase |
| organizationId | org_01b39afec72836da |
| trustCenterId | tc_ef7d8378cec92c5f |
| title | Sketchup Security Advisory: Cross-Site Scripting in SketchUp Dynamic Components |
| message | Description Cross-Site Scripting (XSS) within the Component Options window has been identified in the SketchUp Dynamic Components extension that may allow an attacker to execute arbitrary code or exfiltrate local files. Impacted versions Product Version SketchUp Desktop (Windows & Mac) Versions prior to 2026.1.3 Dynamic Components Extension Versions prior to 1.8.5 Impact Successful exploitation of this vulnerability requires a user to interact with a malicious SketchUp file (.skp). The impact may include: Remote Code Execution (RCE) via ActiveX Local file exfiltration Remediation and Mitigation Users should update their SketchUp Desktop installation to version 2026.1.3 or later. Updating the SketchUp application will automatically include the patched version of the Dynamic Components extension. Acknowledgments This vulnerability was discovered and reported through the Trimble Bug Bounty Program on Bugcrowd. We would like to thank the security researcher for their professional discl |
| url | - |
| publishedAt | 2026-05-14 |
| source | {
"field": "statuspage/public/compliance-update",
"category": "vulnerabilities"
} |
| company | {
"id": "org_01b39afec72836da",
"name": "Trimble",
"domains": [
"trust.trimble.com",
"trimble.com"
]
} |
| trust_center | {
"id": "tc_ef7d8378cec92c5f",
"name": "Trimble",
"url": "https://trust.trimble.com",
"host": "trust.trimble.com"
} |
| provider | {
"id": "safebase",
"name": "SafeBase"
} |
| links | {
"self": "/v1/security-updates/upd_10e3bea2d01a9fa4",
"company": "/v1/companies/org_01b39afec72836da",
"trust_center": "/v1/trust-centers/tc_ef7d8378cec92c5f",
"provider": "/v1/providers/safebase"
} |
Get this page with API
Rendered from the bluedoor Trust Centers API. Reproduce it:
GET https://api.bluedoor.sh/trust-centers/v1/security-updates/upd_10e3bea2d01a9fa4JSON