Nixpkgs security tracker

Untriaged

Permalink CVE-2026-4092

created 1 month, 1 week ago Activity log

Created suggestion 1 month, 1 week ago

Arbitrary File Write via Path Traversal in Google clasp leading to RCE

Path Traversal in Clasp impacting versions < 3.2.0 allows a remote attacker to perform remote code execution via a malicious Google Apps Script project containing specially crafted filenames with directory traversal sequences.

References

https://github.com/google/clasp/pull/1109

Affected products

Clasp

==< 3.2.0

Matching in nixpkgs

pkgs.google-clasp

Develop Apps Script Projects locally

nixos-unstable 3.2.0
- nixpkgs-unstable 3.2.0
- nixos-unstable-small 3.2.0
nixos-25.11 2.5.0
- nixos-25.11-small 2.5.0
- nixpkgs-25.11-darwin 2.5.0

pkgs.clasp-common-lisp

Common Lisp implementation based on LLVM with C++ integration

nixos-unstable 2.7.0
- nixpkgs-unstable 2.7.0
- nixos-unstable-small 2.7.0
nixos-25.11 2.7.0
- nixos-25.11-small 2.7.0
- nixpkgs-25.11-darwin 2.7.0

Package maintainers

@lukego Luke Gorrie <luke@snabb.co>
@hraban Hraban Luyat <hraban@0brg.net>
@nagy Daniel Nagy <danielnagy@posteo.de>
@Uthar Kasper Gałkowski <galkowskikasper@gmail.com>
@7c6f434c Michael Raskin <7c6f434c@mail.ru>
@natsukium Tomoya Otabi <nixpkgs@natsukium.com>