Which versions of Google are affected by CVE-2026-4092?

CVE-2026-4092 is a high-severity remote code execution vulnerability in Clasp versions prior to 3.2.0 that allows attackers to execute arbitrary code by uploading malicious Google Apps Script…. A patch is available.

Is there a public PoC exploit available for CVE-2026-4092?

Yes, a public proof-of-concept exploit is available for CVE-2026-4092. Prioritise patching immediately. EPSS: 1.0%.

Google CVE-2026-4092

Q: What is the CVSS score of CVE-2026-4092?

CVE-2026-4092 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 1.0%.

Q: How to fix or mitigate CVE-2026-4092?

Within 24 hours: Inventory all systems running Clasp and identify critical dependencies; disable Clasp functionality where operationally feasible. Within 7 days: Implement network segmentation to restrict Clasp processes from accessing sensitive systems; enable enhanced logging on Google Workspace and Google Apps Script execution; review recent Clasp project uploads for suspicious activity. Within 30 days: Establish a process to immediately deploy the vendor patch upon availability; conduct forensic analysis of historical Clasp usage for indicators of compromise.

EUVD-2026-12047 HIGH

Path Traversal (CWE-22)

2026-03-13 Google

GHSA-hqjg-pww4-pcgq

RCE Path Traversal Google

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

Patch released

Mar 31, 2026 - 21:13 nvd

Patch available

PoC Detected

Mar 16, 2026 - 14:53 vuln.today

Public exploit code

EUVD ID Assigned

Mar 13, 2026 - 16:57 euvd

EUVD-2026-12047

Analysis Generated

Mar 13, 2026 - 16:57 vuln.today

CVE Published

Mar 13, 2026 - 15:44 nvd

HIGH 8.7

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

1 npm packages depend on @google/clasp (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.2.0.

DescriptionNVD

Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.

AnalysisAI

Remote code execution in Clasp versions below 3.2.0 allows unauthenticated attackers to execute arbitrary code by uploading Google Apps Script projects with specially crafted filenames that exploit path traversal weaknesses. Public exploit code exists for this vulnerability, and no patch is currently available. …

RemediationAI

Within 24 hours: Inventory all systems running Clasp and identify critical dependencies; disable Clasp functionality where operationally feasible. Within 7 days: Implement network segmentation to restrict Clasp processes from accessing sensitive systems; enable enhanced logging on Google Workspace and Google Apps Script execution; review recent Clasp project uploads for suspicious activity. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory