Lucene search
+L

64 matches found

NVD
NVD
added 2026/07/10 9:16 p.m.5 views

CVE-2026-55665

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, Grist contained two cross-site scripting vulnerabilities where an attacker-controlled value reached a link's href without scheme validation, so a javascript URL could run in a victim's Grist origin on a single...

8.5CVSS0.00322EPSS
Exploits0References3
NVD
NVD
added 2026/07/10 9:16 p.m.8 views

CVE-2026-55664

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document's access rules and did not check that the requested section was actually a form. A user with only partial read access, includin...

4.3CVSS0.00243EPSS
Exploits0References3
CVE
CVE
added 2026/07/10 8:59 p.m.8 views

CVE-2026-55664

Summary: Grist ≤ 1.7.14 permits reading table/column metadata via GET /forms without enforcing document access rules, potentially exposing widget metadata even in documents with no forms. Impact (as stated): A user with partial read access (including public access on a public document) could reve...

4.3CVSS6.1AI score0.00243EPSS
Exploits0References3
OSV
OSV
added 2026/07/10 8:59 p.m.4 views

CVE-2026-55664 Grist: Insufficient access control in the /forms endpoint exposes table metadata

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document's access rules and did not check that the requested section was actually a form. A user with only partial read access, includin...

4.3CVSS6.1AI score0.00243EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/07/10 8:59 p.m.32 views

CVE-2026-55664 Grist: Insufficient access control in the /forms endpoint exposes table metadata

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document's access rules and did not check that the requested section was actually a form. A user with only partial read access, includin...

4.3CVSS0.00243EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/10 8:58 p.m.32 views

CVE-2026-55665 DOM-based XSS in Grist via unsanitized links, enabling privilege escalation

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, Grist contained two cross-site scripting vulnerabilities where an attacker-controlled value reached a link's href without scheme validation, so a javascript URL could run in a victim's Grist origin on a single...

8.5CVSS0.00322EPSS
Exploits0References3
OSV
OSV
added 2026/07/10 8:58 p.m.3 views

CVE-2026-55665 DOM-based XSS in Grist via unsanitized links, enabling privilege escalation

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, Grist contained two cross-site scripting vulnerabilities where an attacker-controlled value reached a link's href without scheme validation, so a javascript URL could run in a victim's Grist origin on a single...

8.5CVSS6.1AI score0.00322EPSS
Exploits0References5
CVE
CVE
added 2026/07/10 8:58 p.m.11 views

CVE-2026-55665

Grist spreadsheet app vulnerable to DOM-based XSS prior to version 1.7.15. Two flaws allowed attacker-controlled values to appear in link hrefs without scheme validation, enabling a javascript URL to execute in a victim’s Grist origin on a single click. Specifically, on the account-selection page...

8.5CVSS6.1AI score0.00322EPSS
Exploits0References3
CVE
CVE
added 2026/07/10 8:57 p.m.14 views

CVE-2026-55659

Grist has a cross-site scripting (XSS) vulnerability (CVE-2026-55659) in server-rendered pages caused by embedding user-controlled values into the page and inline scripts without proper escaping. The issue affects pages where a document’s name/description is rendered and where the OAuth2 end-of-f...

7.7CVSS5.8AI score0.00275EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/07/10 8:57 p.m.31 views

CVE-2026-55659 Grist: XSS through unsafe value interpolation in server-rendered pages

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document's nam...

7.7CVSS0.00275EPSS
Exploits0References3
The Hacker News
The Hacker News
added 2026/01/27 10:36 a.m.11 views

Critical Grist-Core Vulnerability Allows RCE Attacks via Spreadsheet Formulas

A critical security flaw has been disclosed in Grist‑Core, an open-source, self-hosted version of the Grist relational spreadsheet-database, that could result in remote code execution. The vulnerability, tracked as CVE-2026-24002 CVSS score: 9.1, has been codenamed Cellbreak by Cyera Research Lab...

9.9CVSS6.8AI score0.12685EPSS
Exploits4
RedhatCVE
RedhatCVE
added 2026/01/23 6:19 a.m.6 views

CVE-2026-24002

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox...

9.6CVSS5.7AI score0.005EPSS
Exploits0References1
NVD
NVD
added 2026/01/22 3:15 a.m.7 views

CVE-2026-24002

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox...

9.6CVSS0.005EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/01/22 2:26 a.m.2 views

CVE-2026-24002

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox...

9CVSS5.8AI score0.005EPSS
Exploits0References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/01/22 2:26 a.m.5 views

CVE-2026-24002 pyodide sandbox option is insecure

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox...

9CVSS5.7AI score0.005EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/01/22 2:26 a.m.31 views

CVE-2026-24002 pyodide sandbox option is insecure

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox...

9CVSS0.005EPSS
Exploits0References2
EUVD
EUVD
added 2026/01/22 2:26 a.m.6 views

EUVD-2026-4212

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox...

9CVSS5.7AI score0.005EPSS
Exploits0References2
CVE
CVE
added 2026/01/22 2:26 a.m.61 views

CVE-2026-24002

CVE-2026-24002 – Grist sandbox escape vulnerability affects Grist Core (Grist open-source self-hosted spreadsheet/database). The issue arises when running formulas in the Pyodide sandbox on Node.js, where the sandbox barrier is insufficient, allowing an untrusted spreadsheet to escape to host exe...

9.6CVSS5.7AI score0.005EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/01/22 2:26 a.m.8 views

CVE-2026-24002 pyodide sandbox option is insecure

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox...

9CVSS5.7AI score0.005EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/01/22 12:0 a.m.7 views

Grist injection vulnerability

Grist is a modern relational spreadsheet developed by Grist Open Source. Versions of Grist prior to 1.7.9 had an injection vulnerability, which was caused by insufficient pyodide sandbox barriers. This vulnerability could allow for the execution of arbitrary processes on the server...

9.6CVSS6.2AI score0.005EPSS
Exploits0References2
Rows per page
Query Builder