// #xss
3 articles
SketchUp CVE-2026-9264: Malicious SKP File Delivers RCE via Embedded IE11 Browser — CVSS 9.3
Trimble disclosed CVE-2026-9264, a CVSS 9.3 remote code execution vulnerability in SketchUp 2026, on 22 May. An attacker who convinces a user to open a crafted .skp file can achieve code execution and local file exfiltration via XSS in SketchUp's Dynamic Components feature, which renders HTML content using an embedded IE11 browser with full local file system access.
Microsoft Exchange Server Zero-Day CVE-2026-42897 Actively Exploited in XSS Attacks — OOB Mitigation Available, No Patch Yet
Microsoft disclosed an actively exploited cross-site scripting zero-day in Exchange Server (CVE-2026-42897) that allows attackers to inject malicious scripts into Outlook Web App sessions, hijack authenticated user sessions, and exfiltrate email content. No patch is available. Microsoft deployed an Emergency Exchange Mitigation Service (EEMS) rule as an interim control while a patch is developed.
Jenkins GitHub Plugin CVE-2026-42523 — CVSS 9.0 Stored XSS Enables Pipeline Hijacking and Secret Extraction
CVE-2026-42523, rated CVSS 9.0, is a stored cross-site scripting vulnerability in the Jenkins GitHub Plugin 1.46.0 and earlier. Exploitation allows an attacker with job creation rights to inject malicious JavaScript that executes in the browser of any Jenkins administrator who views the affected job — enabling session hijacking, secret extraction, and full pipeline takeover. Update to GitHub Plugin 1.46.1 or later.