Vulnerability Details CVE-2026-24002
Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 19.4%
CVSS Severity
CVSS v3 Score 9.0
References
Products affected by CVE-2026-24002
-
cpe:2.3:a:getgrist:grist-core:0.7.1
-
cpe:2.3:a:getgrist:grist-core:0.7.2
-
cpe:2.3:a:getgrist:grist-core:0.7.3
-
cpe:2.3:a:getgrist:grist-core:0.7.4
-
cpe:2.3:a:getgrist:grist-core:0.7.5
-
cpe:2.3:a:getgrist:grist-core:0.7.6
-
cpe:2.3:a:getgrist:grist-core:0.7.7
-
cpe:2.3:a:getgrist:grist-core:0.7.8
-
cpe:2.3:a:getgrist:grist-core:0.7.9
-
cpe:2.3:a:getgrist:grist-core:1.0.3
-
cpe:2.3:a:getgrist:grist-core:1.0.4
-
cpe:2.3:a:getgrist:grist-core:1.0.5
-
cpe:2.3:a:getgrist:grist-core:1.0.6
-
cpe:2.3:a:getgrist:grist-core:1.0.7
-
cpe:2.3:a:getgrist:grist-core:1.0.8
-
cpe:2.3:a:getgrist:grist-core:1.0.9
-
cpe:2.3:a:getgrist:grist-core:1.1.0
-
cpe:2.3:a:getgrist:grist-core:1.1.1
-
cpe:2.3:a:getgrist:grist-core:1.1.10
-
cpe:2.3:a:getgrist:grist-core:1.1.11
-
cpe:2.3:a:getgrist:grist-core:1.1.12
-
cpe:2.3:a:getgrist:grist-core:1.1.13
-
cpe:2.3:a:getgrist:grist-core:1.1.14
-
cpe:2.3:a:getgrist:grist-core:1.1.15
-
cpe:2.3:a:getgrist:grist-core:1.1.16
-
cpe:2.3:a:getgrist:grist-core:1.1.17
-
cpe:2.3:a:getgrist:grist-core:1.1.18
-
cpe:2.3:a:getgrist:grist-core:1.1.2
-
cpe:2.3:a:getgrist:grist-core:1.1.3
-
cpe:2.3:a:getgrist:grist-core:1.1.4
-
cpe:2.3:a:getgrist:grist-core:1.1.5
-
cpe:2.3:a:getgrist:grist-core:1.1.6
-
cpe:2.3:a:getgrist:grist-core:1.1.7
-
cpe:2.3:a:getgrist:grist-core:1.1.8
-
cpe:2.3:a:getgrist:grist-core:1.1.9
-
cpe:2.3:a:getgrist:grist-core:1.2.0
-
cpe:2.3:a:getgrist:grist-core:1.2.1
-
cpe:2.3:a:getgrist:grist-core:1.3.0
-
cpe:2.3:a:getgrist:grist-core:1.3.1
-
cpe:2.3:a:getgrist:grist-core:1.3.2
-
cpe:2.3:a:getgrist:grist-core:1.3.3
-
cpe:2.3:a:getgrist:grist-core:1.4.0
-
cpe:2.3:a:getgrist:grist-core:1.4.1
-
cpe:2.3:a:getgrist:grist-core:1.4.2
-
cpe:2.3:a:getgrist:grist-core:1.5.0
-
cpe:2.3:a:getgrist:grist-core:1.5.1
-
cpe:2.3:a:getgrist:grist-core:1.5.2
-
cpe:2.3:a:getgrist:grist-core:1.6.0
-
cpe:2.3:a:getgrist:grist-core:1.6.1
-
cpe:2.3:a:getgrist:grist-core:1.7.0
-
cpe:2.3:a:getgrist:grist-core:1.7.1
-
cpe:2.3:a:getgrist:grist-core:1.7.2
-
cpe:2.3:a:getgrist:grist-core:1.7.3
-
cpe:2.3:a:getgrist:grist-core:1.7.4
-
cpe:2.3:a:getgrist:grist-core:1.7.5
-
cpe:2.3:a:getgrist:grist-core:1.7.7