CVE-2026-4092

Name of the Vulnerable Software and Affected Versions Clasp versions prior to 3.2.0

Description A path traversal issue exists in Clasp, potentially allowing a remote attacker to execute code on the developer's machine. This occurs through a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences. The issue allows an attacker to modify files outside the project directory, leading to potential remote code execution.

API Endpoints No API endpoints are mentioned in the provided descriptions.

Vulnerable Parameters or Variables Filenames within Google Apps Script projects are vulnerable.

Recommendations Update Clasp to version 3.2.0 or later. Only clone or pull scripts from trusted sources. Review the output of the pull and clone commands to verify only expected project files are modified.