CVE-2026-24002

Name of the Vulnerable Software and Affected Versions Grist versions prior to 1.7.9

Description Grist is spreadsheet software that utilizes Python as its formula language. When configured to run formulas in the Pyodide sandbox (GRIST SANDBOX FLAVOR set to pyodide), a crafted spreadsheet formula can escape the sandbox and execute arbitrary processes on the host server. This allows an attacker to run operating system commands and potentially access sensitive information like database credentials and API keys. The issue stems from the lack of a robust sandbox barrier within the Pyodide implementation on Node.js.

Recommendations Versions prior to 1.7.9 should be updated to version 1.7.9 or later. As a workaround for versions prior to 1.7.9, set GRIST SANDBOX FLAVOR to gvisor to utilize the gvisor-based sandbox.