Security Advisory: Cross-Site Scripting in SketchUp Dynamic Components

Trust Portal

Start your security review
View & download sensitive information
Ask for information
ControlK

Trust Portal Updates

Security Advisory: Cross-Site Scripting in SketchUp Dynamic Components

Copy link
Vulnerabilities

Description
Cross-Site Scripting (XSS) within the Component Options window has been identified in the
SketchUp Dynamic Components extension that may allow an attacker to execute arbitrary code
or exfiltrate local files.

Impacted versions
Product Version
SketchUp Desktop (Windows & Mac) Versions prior to 2026.1.2
Dynamic Components Extension All versions prior to the March 2026 security

release

Impact
Successful exploitation of this vulnerability requires a user to interact with a malicious SketchUp
file (.skp). The impact may include:
● Remote Code Execution (RCE) via ActiveX
● Local file exfiltration

Remediation and Mitigation
Users should update their SketchUp Desktop installation to version 2026.1.2 or later. Updating
the SketchUp application will automatically include the patched version of the Dynamic
Components extension.

Acknowledgments
This vulnerability was discovered and reported through the Trimble Bug Bounty Program on
Bugcrowd. We would like to thank the security researcher for their professional disclosure and
assistance in securing our products.

References
● SketchUp Release Notes https://help.sketchup.com/en/sketchup-desktop-202612

Overview

Welcome to Trimble's Trust Portal, your resource for product security, privacy, and compliance information including our security controls and certifications. At Trimble, trust is at the core of everything we do which is a testament to our Commitment to Customers. We understand the importance of safeguarding your data while providing innovative solutions that empower your business. That's why we've established the Trimble Trust Portal, your one-stop destination for transparency, security, and compliance information.

Explore our Trust Portal to gain a deeper understanding of how Trimble ensures the confidentiality, integrity, and availability of your data. From detailed privacy policies to certifications and attestations, we believe in transparency every step of the way.

Together, we can achieve excellence in data protection and uphold the highest standards of integrity and compliance. Thank you for choosing Trimble as your trusted partner.

Compliance

Cyber Essentials Logo
Cyber Essentials
Cyber Essentials Plus Logo
Cyber Essentials Plus
CyDR Logo
CyDR
ISO/IEC 27001:2022 Logo
ISO/IEC 27001:2022
ISO/IEC 27001 SoA Logo
ISO/IEC 27001 SoA
ISO/IEC 27701 Logo
ISO/IEC 27701
ISO 9001:2015 Logo
ISO 9001:2015
NIST 800-171 Rev. 2 Logo
NIST 800-171 Rev. 2
SOC 1 Type 1 Logo
SOC 1 Type 1
SOC 1 Type 2 Logo
SOC 1 Type 2
SOC 2 Type 1 Logo
SOC 2 Type 1
SOC 2 Type 2 Logo
SOC 2 Type 2
SOC 3 Logo
SOC 3
GovRAMP Logo
GovRAMP
TX-RAMP Logo
TX-RAMP
VPAT Logo
VPAT
CMMC Logo
CMMC

Trimble is reviewed and trusted by

Baker Tilly US-company-logoBaker Tilly US

Documents

COMPLIANCECyber Essentials
COMPLIANCECyber Essentials Plus
COMPLIANCECyDR
COMPLIANCEGovRAMP
COMPLIANCEISO 9001:2015
COMPLIANCEISO/IEC 27001 SoA
COMPLIANCEISO/IEC 27001:2022
COMPLIANCEISO/IEC 27701
COMPLIANCENIST 800-171 Rev. 2
COMPLIANCESOC 1 Type 1
COMPLIANCESOC 1 Type 2
COMPLIANCESOC 2 Type 1

Product Security

Audit Logging
Integrations
Data Security
View more

Self-Assessments

CAIQ
HECVAT Full

Data Security

Access Monitoring
Data Backups
Data Erasure
View more

App Security

Responsible Disclosure
Code Analysis
Credential Management
View more

ESG

Anti-Modern Slavery
Diversity, Equity, and Inclusion
Environmental Stewardship
View more

Compliance and Insurance

Customer Audit Rights
Cyber Insurance
Privacy Oversight

Data Privacy

Cookies
Data Privacy Officer

Access Control

Data Access
Logging
Password Security

Infrastructure

Amazon Web Services
Anti-DDoS
Azure
View more

Endpoint Security

Disk Encryption
DNS Filtering
Endpoint Detection & Response
View more

Network Security

Data Loss Prevention
Firewall
IDS/IPS
View more

Corporate Compliance

Asset Management Practices
Email Protection
Employee Training
View more

Policies

Acceptable Use Policy
Data Classification Policy
Incident Response Policy
View more
If you think you may have discovered a vulnerability, please send us a note.
Report issue