{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4092", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2026-03-12T22:01:38.879Z", "datePublished": "2026-03-13T15:44:55.099Z", "dateUpdated": "2026-03-16T18:34:49.535Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2026-03-13T15:44:55.099Z"}, "title": "Arbitrary File Write via Path Traversal in Google clasp leading to RCE", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-64", "descriptions": [{"lang": "en", "value": "CAPEC-64: Path Traversal"}]}], "affected": [{"vendor": "Google", "product": "Clasp", "versions": [{"status": "affected", "version": "< 3.2.0"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Path Traversal in Clasp impacting versions &lt; 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences."}]}], "references": [{"url": "https://github.com/google/clasp/pull/1109"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 1.0.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-16T18:34:42.588878Z", "id": "CVE-2026-4092", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:34:49.535Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4092", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-16T18:34:42.588878Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T18:34:45.589Z"}}], "cna": {"title": "Arbitrary File Write via Path Traversal in Google clasp leading to RCE", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-64", "descriptions": [{"lang": "en", "value": "CAPEC-64: Path Traversal"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Google", "product": "Clasp", "versions": [{"status": "affected", "version": "< 3.2.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/google/clasp/pull/1109"}], "x_generator": {"engine": "Vulnogram 1.0.0"}, "descriptions": [{"lang": "en", "value": "Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.", "supportingMedia": [{"type": "text/html", "value": "Path Traversal in Clasp impacting versions &lt; 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2026-03-13T15:44:55.099Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4092", "state": "PUBLISHED", "dateUpdated": "2026-03-16T18:34:49.535Z", "dateReserved": "2026-03-12T22:01:38.879Z", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "datePublished": "2026-03-13T15:44:55.099Z", "assignerShortName": "Google"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:google:clasp:*:*:*:*:*:*:*:*", "matchCriteriaId": "5FF1EB47-9967-4A24-BAB5-C827C9A753C0", "versionEndExcluding": "3.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences."}, {"lang": "es", "value": "Salto de ruta en Clasp que afecta a las versiones &lt; 3.2.0 permite a un atacante remoto realizar ejecuci\u00f3n remota de c\u00f3digo mediante un proyecto malicioso de Google Apps Script que contiene nombres de archivo especialmente manipulados con secuencias de salto de directorio."}], "id": "CVE-2026-4092", "lastModified": "2026-04-14T17:34:34.770", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2026-03-13T19:55:13.493", "references": [{"source": "cve-coordination@google.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/google/clasp/pull/1109"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "clasp", "vendor": "google"}], "analysis": {"en": {"generated_at": "2026-04-14T21:50:31.906628+00:00", "value": {"mitigation_remediation": ["Upgrade Google Clasp to version 3.2.0 or later.", "If an immediate upgrade is not possible, restrict write permissions on the directory where Clasp stores project files.", "Avoid importing Google Apps Script projects from untrusted sources and verify file names before execution.", "Check the official Clasp repository for further updates or security advisories."], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "All installations of Google Clasp older than version 3.2.0 are affected. The vulnerability is present regardless of the operating system, as Clasp can run on Windows, macOS, or Linux. Any user who installs a vulnerable version and imports or runs projects from untrusted sources is at risk.", "description_and_impact": "Clasp, the command\u2011line tool for managing Google Apps Scripts, contains a path\u2011traversal flaw that allows an attacker to write or overwrite arbitrary files on the machine where Clasp runs. By crafting a project that includes file names with directory\u2011traversal sequences such as \"../\", a malicious user can create or modify files outside the intended project directory, potentially executing arbitrary code. The weakness is classified as CWE\u201122, improper validation of file paths.", "risk_and_exploitability": "The CVSS score of 8.7 places this flaw in the high\u2011risk category, while an EPSS score of 1\u202f% indicates that widespread exploitation is currently unlikely. The vulnerability is not listed in CISA\u2019s Known Exploited Vulnerabilities catalog. Based on the description, it is inferred that the attack vector involves supplying a malicious Google Apps Script project that contains specially crafted file names with directory\u2011traversal sequences. Exploitation requires that an attacker supply such a project; therefore the attack surface is limited to users who import untrusted projects. Until a patch is applied, the potential for remote code execution remains."}}}}, "created": "2026-03-16T09:25:07.099286+00:00", "updated": "2026-04-15T17:00:07.002184+00:00", "vendors": ["google", "google$PRODUCT$clasp"]}