CVE-2026-24002

Published: Jan 22, 2026

Modified: Jan 22, 2026

PUBLISHED

CVSS v3.1

9.1

CRITICAL

Description

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`.

Vendor	Product	Versions
gristlabs	grist-core	affected `< 1.7.9`

Weaknesses (CWE)

CWE-74

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g

x_refsource_CONFIRM

https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-24002

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References