Skip to main content

Google CVE-2026-4092

| EUVDEUVD-2026-12047 HIGH
Path Traversal (CWE-22)
2026-03-13 Google GHSA-hqjg-pww4-pcgq
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

5
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
PoC Detected
Mar 16, 2026 - 14:53 vuln.today
Public exploit code
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-12047
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 15:44 nvd
HIGH 8.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on @google/clasp (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.2.0.

DescriptionCVE.org

Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.

AnalysisAI

Remote code execution in Clasp versions below 3.2.0 allows unauthenticated attackers to execute arbitrary code by uploading Google Apps Script projects with specially crafted filenames that exploit path traversal weaknesses. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires minimal user interaction and affects Google's Clasp tooling across all configurations.

Technical ContextAI

Clasp is an open-source command-line tool developed by Google that enables local development of Google Apps Script projects. The vulnerability stems from improper input validation (CWE-22: Path Traversal) when processing filenames within Apps Script projects during cloning or pulling operations. When Clasp processes project files, it fails to properly sanitize filenames containing directory traversal sequences (such as ../ or ..\ patterns), allowing malicious actors to write files outside the intended project directory. This can lead to overwriting critical system files or placing malicious code in startup locations, ultimately resulting in remote code execution on the developer's machine.

RemediationAI

Upgrade Clasp to version 3.2.0 or later immediately by running npm update @google/clasp or npm install @google/clasp@latest. Until patching is complete, developers should avoid cloning or pulling Apps Script projects from untrusted sources and carefully review any project structures before importing them. Additionally, implement security controls such as running development tools in isolated environments or containers to limit the potential impact of exploitation. Organizations should audit their development environments to identify all Clasp installations and ensure they are updated to the patched version.

Share

CVE-2026-4092 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy