CVE-2026-24002

CVSS v3.1

9.6

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Grist versions prior to 1.7.9

Description Grist is spreadsheet software that utilizes Python as its formula language. When configured to run formulas in the Pyodide sandbox (

GRIST SANDBOX FLAVOR

set to

pyodide

), a crafted spreadsheet formula can escape the sandbox and execute arbitrary processes on the host server. This allows an attacker to run operating system commands and potentially access sensitive information like database credentials and API keys. The issue stems from the lack of a robust sandbox barrier within the Pyodide implementation on Node.js.

Recommendations Versions prior to 1.7.9 should be updated to version 1.7.9 or later. As a workaround for versions prior to 1.7.9, set

GRIST SANDBOX FLAVOR

gvisor

to utilize the gvisor-based sandbox.

Exploit

Fix

RCE

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

CVE-2026-24002

GHSA-7XVX-8PF2-PV5G

Affected Products

Grist

Deno

Gvisor

Pyodide

CVE-2026-24002

Weakness Enumeration

Related Identifiers

Affected Products

References · 29