Description
Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.
Published: 2026-03-13
Score: 8.7 High
EPSS: 1.1% Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a path traversal flaw in Google Clasp that allows an attacker to craft malicious Google Apps Script project files with directory traversal sequences in the filenames. When such a project is uploaded or imported, Clasp writes the files to arbitrary locations on the host, enabling malicious code to be executed. This results in full remote code execution on the system where Clasp is running. The vulnerability is classified as CWE‑22, an improper validation of file names or paths.

Affected Systems

All users of Google Clasp with installations of any version earlier than 3.2.0 are affected. The specific product is Google:Clasp. No additional products or versions are identified in the provided data.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, and the EPSS score of 1% suggests a relatively low but still possible exploitation probability. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote via the upload or import of a malicious Apps Script project, which can be automated, making exploitation feasible for an attacker who can deliver the crafted files to a target environment.

Generated by OpenCVE AI on March 19, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Google clasp to version 3.2.0 or newer

Generated by OpenCVE AI on March 19, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hqjg-pww4-pcgq @google/clasp vulnerable to unsafe path traversal cloning or pulling a malicious script
References
Link Providers
https://github.com/google/clasp/pull/1109 cve-icon cve-icon
History

Tue, 14 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:google:clasp:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 16 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Google
Google clasp
Vendors & Products Google
Google clasp

Fri, 13 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.
Title Arbitrary File Write via Path Traversal in Google clasp leading to RCE
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Google Clasp
cve-icon MITRE

Status: PUBLISHED

Assigner: Google

Published:

Updated: 2026-03-16T18:34:49.535Z

Reserved: 2026-03-12T22:01:38.879Z

Link: CVE-2026-4092

cve-icon Vulnrichment

Updated: 2026-03-16T18:34:45.589Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-13T19:55:13.493

Modified: 2026-04-14T17:34:34.770

Link: CVE-2026-4092

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T12:02:49Z

Weaknesses