CVE-2026-4092

HIGH

Google Clasp < 3.2.0 - Remote Code Execution via Directory Traversal in Filename

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-4092. PoCs published by XiaomingX, g0w6y.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-4092, a path traversal vulnerability in @google/clasp. It includes vulnerable code snippets, a proof-of-concept demonstration, and a fix analysis.

Description

Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.

Exploits (2)

github WRITEUP 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-4092

This repository provides a detailed technical analysis of CVE-2026-4092, a path traversal vulnerability in @google/clasp. It includes vulnerable code snippets, a proof-of-concept demonstration, and a fix analysis.

Classification
Writeup 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: @google/clasp < 3.2.0
No auth needed
Prerequisites: Attacker-controlled Google Apps Script project · Victim runs 'clasp clone' or 'clasp pull'
devstral-2 · analyzed Mar 15, 2026 Full analysis →
nomisec WRITEUP
by g0w6y · poc
https://github.com/g0w6y/CVE-2026-4092

This repository provides a detailed technical analysis of CVE-2026-4092, a path traversal vulnerability in @google/clasp. It includes vulnerable code snippets, a proof-of-concept demonstration, and a comprehensive explanation of the attack scenario and fix.

Classification
Writeup 100%
Attack Type
Other
Complexity
Moderate
Reliability
Reliable
Target: @google/clasp < 3.2.0
No auth needed
Prerequisites: Attacker-controlled Google Apps Script project · Victim runs 'clasp clone' or 'clasp pull'
devstral-2 · analyzed Mar 15, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 8.8
EPSS 0.0027
EPSS Percentile 50.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-22
Status published
Products (3)
google/clasp < 3.2.0
google/clasp 0 - 3.2.0npm
Google/Clasp < 3.2.0
Published Mar 13, 2026
Tracked Since Mar 14, 2026