Platform
other
Component
google-web-designer
Fixed in
14.2.2.0
CVE-2026-3223 describes a privilege escalation vulnerability affecting Google Web Designer. This flaw stems from a zip slip vulnerability, allowing attackers to potentially write files outside of the intended directory. Versions of Google Web Designer between 0.0 and 14.2.2.0 are affected. A fix is available in version 14.2.2.0.
The zip slip vulnerability allows an attacker to manipulate the extraction path of files within a ZIP archive. In the context of Google Web Designer, this could enable an attacker to write arbitrary files to the system, potentially overwriting critical configuration files or executable code. Successful exploitation could lead to privilege escalation, granting the attacker elevated permissions on the affected system. The potential impact extends beyond simple file modification; an attacker could potentially gain control of the system by overwriting key system binaries or injecting malicious code. The blast radius is significant, as a compromised Google Web Designer installation could serve as a foothold for further attacks within the network.
CVE-2026-3223 was published on 2026-02-27. The vulnerability's exploitation probability is currently assessed as medium, given the potential for complex archive manipulation required for successful exploitation. No public proof-of-concept exploits have been publicly disclosed at the time of writing. It is not currently listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
The primary mitigation for CVE-2026-3223 is to upgrade Google Web Designer to version 14.2.2.0 or later. Before upgrading, it's recommended to back up any custom templates or projects to prevent data loss. If a direct upgrade is not feasible due to compatibility issues, consider temporarily restricting the ability to import ZIP archives from untrusted sources within Google Web Designer. While not a complete solution, this can reduce the attack surface. There are no specific WAF or proxy rules that can directly address this vulnerability, as it resides within the application itself. After upgrading, confirm the fix by attempting to import a specially crafted ZIP archive designed to trigger the zip slip vulnerability; the application should now prevent file writes outside the intended directory.
Actualice Google Web Designer a la versión 14.2.2.0 o superior. Esto corregirá la vulnerabilidad Zip Slip que permite la escritura arbitraria de archivos y la posible escalada de privilegios.
Vulnerability analysis and critical alerts directly to your inbox.
It's a privilege escalation vulnerability in Google Web Designer caused by a zip slip flaw, allowing potential arbitrary file writes.
If you are using Google Web Designer versions 0.0 through 14.2.2.0, you are potentially affected by this vulnerability.
Upgrade Google Web Designer to version 14.2.2.0 or later to resolve this issue. Back up your projects before upgrading.
Currently, there are no publicly known active exploitation campaigns or proof-of-concept exploits for this vulnerability.
Refer to the Google Security Blog and the National Vulnerability Database (NVD) for more information about CVE-2026-3223.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.