@battis/gas-lighter (>=0.2.0 <=0.5.2), @ciderjs/dgs (>=0.1.0 <=0.1.1) +11 more potentially affected by CVE-2026-4092 via @google/clasp (>=1.5.3 <=3.1.3)

@google/clasp NPM version =1.5.3, =0.2.0, =0.1.0, =0.0.1, =0.0.2, =0.0.2, =2.0.5, =1.0.0, =3.1.1, =0.1.0, =0.0.1, =2.0.0, =4.0.0 Source cves: CVE-2026-4092 Source advisory: OSV:GHSA-HQJG-PWW4-PCGQ...

CVE-2026-4092 Arbitrary File Write via Path Traversal in Google clasp leading to RCE

Path Traversal in Clasp impacting versions 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences...

CVE-2026-4092 Arbitrary File Write via Path Traversal in Google clasp leading to RCE

Path Traversal in Clasp impacting versions 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences...

CVE-2026-4092

CVE-2026-4092 affects Google clasp prior to 3.2.0. A path traversal in filenames within a Google Apps Script project can lead to remote code execution, enabling an attacker to write arbitrary files on the host. Affected versions:

multi-clasp2 (=4.0.0) potentially affected by CVE-2026-4092 via @google/clasp (=3.1.3)

@google/clasp NPM version =3.1.3 is affected by a known vulnerability. The following packages have a transitive dependency on @google/clasp and may be impacted: - multi-clasp2 =4.0.0 Source cves: CVE-2026-4092 Source advisory: SNYK:JS-GOOGLECLASP-15248426...