CVE-2026-4092

Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/google/clasp/pull/1109	Issue Tracking Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:google:clasp:*:*:*:*:*:*:*:*

History

14 Apr 2026, 17:34

Type	Values Removed	Values Added
First Time		Google clasp Google
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:google:clasp::::::::
References	~~() https://github.com/google/clasp/pull/1109 -~~	() https://github.com/google/clasp/pull/1109 - Issue Tracking, Patch

16 Mar 2026, 14:53

Type	Values Removed	Values Added
Summary		(es) Salto de ruta en Clasp que afecta a las versiones < 3.2.0 permite a un atacante remoto realizar ejecución remota de código mediante un proyecto malicioso de Google Apps Script que contiene nombres de archivo especialmente manipulados con secuencias de salto de directorio.

13 Mar 2026, 19:55

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-13 19:55

Updated : 2026-04-14 17:34

NVD link : CVE-2026-4092

Mitre link : CVE-2026-4092

CVE.ORG link : CVE-2026-4092

JSON object : View

Products Affected

google

clasp

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-4092", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "cve-coordination@google.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-13T19:55:13.493", "references": [{"url": "https://github.com/google/clasp/pull/1109", "tags": ["Issue Tracking", "Patch"], "source": "cve-coordination@google.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve-coordination@google.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences."}, {"lang": "es", "value": "Salto de ruta en Clasp que afecta a las versiones < 3.2.0 permite a un atacante remoto realizar ejecuci\u00f3n remota de c\u00f3digo mediante un proyecto malicioso de Google Apps Script que contiene nombres de archivo especialmente manipulados con secuencias de salto de directorio."}], "lastModified": "2026-04-14T17:34:34.770", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:google:clasp:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5FF1EB47-9967-4A24-BAB5-C827C9A753C0", "versionEndExcluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve-coordination@google.com"}