Home > Vulnerability Database > CVE-2026-24002

Mend.io Vulnerability Database

CVE-2026-24002

Good to know:

Date: January 21, 2026

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets "GRIST_SANDBOX_FLAVOR" to "pyodide" and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting "GRIST_SANDBOX_FLAVOR" to "gvisor".

Severity Score

9.0

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-24002

Url: https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g

Url: https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents

Url: https://www.mend.io/vulnerability-database/CVE-2026-24002

Severity Score

9.0

Weakness Type (CWE)

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

Upgrade Version

Upgrade to version https://github.com/gristlabs/grist-core.git - v1.7.9

Learn More

CVSS v3.1

Base Score:	9.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	HIGH
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2026-24002

Good to know:

Date: January 21, 2026

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?