CVE-2026-3223

HighPublic PoC

Published: 27 February 2026

Published

27 February 2026

Modified

14 April 2026

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0000 0.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3223 is a high-severity Path Traversal (CWE-22) vulnerability in Google Web Designer. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Malicious File (T1204.002) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents zip slip path traversal by validating file paths during zip extraction in Google Web Designer.

SI-2 Flaw Remediation good match

prevent

Remediates the specific zip slip vulnerability through timely flaw identification, reporting, and patching in Google Web Designer.

AC-6 Least Privilege partial match

prevent

Limits damage from arbitrary file writes and privilege escalation by enforcing least privilege on the affected process.

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution

An adversary may rely upon a user opening a malicious file in order to gain execution.

attack.mitre.org →

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

Zip slip (CWE-22 path traversal) in archive extraction directly enables arbitrary file write via a malicious file opened by the user (T1204.002) and facilitates local privilege escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Arbitrary file write & potential privilege escalation exploiting zip slip vulnerability in Google Web Designer.

Deeper analysisAI

CVE-2026-3223 is a zip slip vulnerability in Google Web Designer that enables arbitrary file write and potential privilege escalation. Classified under CWE-22 (Path Traversal), it carries a CVSS v3.1 base score of 7.8, with vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability was published on 2026-02-27T14:16:30.923.

A local attacker can exploit this issue with low attack complexity and no required privileges, though user interaction is necessary. Successful exploitation allows high-impact consequences across confidentiality, integrity, and availability, including arbitrary file writes that could facilitate privilege escalation on the affected system.

Mitigation details are available in the referenced advisory at https://bughunters.google.com/reports/vrp/FJMQGy8oo.

Details

CWE(s): CWE-22

Affected Products

google

web designer

14.2.2.0

CVEs Like This One

CVE-2025-48567Same vendor: Google

CVE-2025-48636Same vendor: Google

CVE-2026-4092Same vendor: Google

CVE-2025-1915Same vendor: Google

CVE-2026-0010Same vendor: Google

CVE-2024-49742Same vendor: Google

CVE-2025-48578Same vendor: Google

CVE-2026-0118Same vendor: Google

CVE-2025-2713Same vendor: Google

CVE-2025-48619Same vendor: Google

References

https://bughunters.google.com/reports/vrp/FJMQGy8oo
Exploit, Vendor Advisory · cve-coordination@google.com