216.73.217.22

CVE-2026-24002

· Published 22/01/2026 03:15 · Modified 22/01/2026 03:15

Labels: CVE-2026-24002 2026-01-22CVE-2026-24002CWE-74[email protected]

Essential information

Published
22/01/2026 03:15
Modified
22/01/2026 03:15
Author
Creator
CVSS
9.0 CRITICAL (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS metrics

Description

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
grist / grist cpe:2.3:a:grist:grist:1.7.9:*:*:*:*:*:*:*
grist / grist cpe:2.3:a:grist:grist:*:*:*:*:*:*:*:*

References