Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
18 vulnerabilities by gristlabs
CVE-2026-55665 (GCVE-0-2026-55665)
Vulnerability from nvd – Published: 2026-07-10 20:58 – Updated: 2026-07-14 14:11
VLAI
EPSS
VEX
Title
DOM-based XSS in Grist via unsanitized links, enabling privilege escalation
Summary
Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, Grist contained two cross-site scripting vulnerabilities where an attacker-controlled value reached a link's href without scheme validation, so a javascript URL could run in a victim's Grist origin on a single click. On the account-selection page, /welcome/select-account used its next query parameter as the account buttons' link target. In document tours, the GristDocTour table's Link_URL column became a clickable button, allowing an editor of a shared document to store a javascript URL there that ran when another user opened the document and clicked the tour link. Because the script runs in the victim's authenticated session, it can call Grist APIs as the victim, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/5d… | x_refsource_MISC |
| https://github.com/gristlabs/grist-core/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55665",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T14:11:20.375073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T14:11:49.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, Grist contained two cross-site scripting vulnerabilities where an attacker-controlled value reached a link\u0027s href without scheme validation, so a javascript URL could run in a victim\u0027s Grist origin on a single click. On the account-selection page, /welcome/select-account used its next query parameter as the account buttons\u0027 link target. In document tours, the GristDocTour table\u0027s Link_URL column became a clickable button, allowing an editor of a shared document to store a javascript URL there that ran when another user opened the document and clicked the tour link. Because the script runs in the victim\u0027s authenticated session, it can call Grist APIs as the victim, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:58:24.755Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-7f6v-vghq-34xq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-7f6v-vghq-34xq"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/5d0a90a162b5125fce7e8a86fb137eee5199dbde",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/5d0a90a162b5125fce7e8a86fb137eee5199dbde"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15"
}
],
"source": {
"advisory": "GHSA-7f6v-vghq-34xq",
"discovery": "UNKNOWN"
},
"title": "DOM-based XSS in Grist via unsanitized links, enabling privilege escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55665",
"datePublished": "2026-07-10T20:58:24.755Z",
"dateReserved": "2026-06-17T00:05:03.777Z",
"dateUpdated": "2026-07-14T14:11:49.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55664 (GCVE-0-2026-55664)
Vulnerability from nvd – Published: 2026-07-10 20:59 – Updated: 2026-07-13 18:55
VLAI
EPSS
VEX
Title
Grist: Insufficient access control in the /forms endpoint exposes table metadata
Summary
Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document's access rules and did not check that the requested section was actually a form. A user with only partial read access, including public access on a publicly viewable document, could request the metadata of any widget and reveal table and column structure that access rules would otherwise hide, even in documents that contain no forms. This issue is fixed in version 1.7.15.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/14… | x_refsource_MISC |
| https://github.com/gristlabs/grist-core/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55664",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T18:34:28.495573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T18:55:09.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document\u0027s access rules and did not check that the requested section was actually a form. A user with only partial read access, including public access on a publicly viewable document, could request the metadata of any widget and reveal table and column structure that access rules would otherwise hide, even in documents that contain no forms. This issue is fixed in version 1.7.15."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:59:12.603Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-w2hc-w6cg-xvh9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-w2hc-w6cg-xvh9"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/14694156fe99c438c5f7a452ad367e933bb194db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/14694156fe99c438c5f7a452ad367e933bb194db"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15"
}
],
"source": {
"advisory": "GHSA-w2hc-w6cg-xvh9",
"discovery": "UNKNOWN"
},
"title": "Grist: Insufficient access control in the /forms endpoint exposes table metadata"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55664",
"datePublished": "2026-07-10T20:59:12.603Z",
"dateReserved": "2026-06-17T00:05:03.777Z",
"dateUpdated": "2026-07-13T18:55:09.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55659 (GCVE-0-2026-55659)
Vulnerability from nvd – Published: 2026-07-10 20:57 – Updated: 2026-07-13 16:01
VLAI
EPSS
VEX
Title
Grist: XSS through unsafe value interpolation in server-rendered pages
Summary
Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document's name or description, set by a document editor, is rendered into the page that other users load when opening the document. On the OAuth2 end-of-flow page, the openerOrigin request parameter was reflected back into the served page. Injected script runs in the victim's Grist origin and can act through the authenticated session, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/4c… | x_refsource_MISC |
| https://github.com/gristlabs/grist-core/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T16:01:16.076169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T16:01:23.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document\u0027s name or description, set by a document editor, is rendered into the page that other users load when opening the document. On the OAuth2 end-of-flow page, the openerOrigin request parameter was reflected back into the served page. Injected script runs in the victim\u0027s Grist origin and can act through the authenticated session, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:57:39.281Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-6qrq-h2h6-cw54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-6qrq-h2h6-cw54"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/4ced8064b7ea0e1763d5a6a2588b22774ce7efbc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/4ced8064b7ea0e1763d5a6a2588b22774ce7efbc"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15"
}
],
"source": {
"advisory": "GHSA-6qrq-h2h6-cw54",
"discovery": "UNKNOWN"
},
"title": "Grist: XSS through unsafe value interpolation in server-rendered pages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55659",
"datePublished": "2026-07-10T20:57:39.281Z",
"dateReserved": "2026-06-17T00:05:03.777Z",
"dateUpdated": "2026-07-13T16:01:23.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24002 (GCVE-0-2026-24002)
Vulnerability from nvd – Published: 2026-01-22 02:26 – Updated: 2026-01-22 12:54
VLAI
EPSS
VEX
Title
pyodide sandbox option is insecure
Summary
Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://support.getgrist.com/self-managed/#how-do… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.9
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T12:52:12.413052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T12:54:32.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T02:26:28.765Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g"
},
{
"name": "https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents",
"tags": [
"x_refsource_MISC"
],
"url": "https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents"
}
],
"source": {
"advisory": "GHSA-7xvx-8pf2-pv5g",
"discovery": "UNKNOWN"
},
"title": "pyodide sandbox option is insecure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24002",
"datePublished": "2026-01-22T02:26:28.765Z",
"dateReserved": "2026-01-19T18:49:20.658Z",
"dateUpdated": "2026-01-22T12:54:32.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64753 (GCVE-0-2025-64753)
Vulnerability from nvd – Published: 2025-11-13 21:46 – Updated: 2025-11-14 16:17
VLAI
EPSS
VEX
Title
grist-core has insufficient access control in endpoints for comparisons between documents and versions
Summary
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T16:12:20.392850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T16:17:23.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:46:00.508Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7"
}
],
"source": {
"advisory": "GHSA-3v78-cw58-v685",
"discovery": "UNKNOWN"
},
"title": "grist-core has insufficient access control in endpoints for comparisons between documents and versions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64753",
"datePublished": "2025-11-13T21:46:00.508Z",
"dateReserved": "2025-11-10T22:29:34.874Z",
"dateUpdated": "2025-11-14T16:17:23.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64752 (GCVE-0-2025-64752)
Vulnerability from nvd – Published: 2025-11-13 21:43 – Updated: 2025-11-14 17:10
VLAI
EPSS
VEX
Title
grist-core has path to server-side requests via websocket
Summary
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T16:25:04.348078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T17:10:33.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:43:57.610Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7"
}
],
"source": {
"advisory": "GHSA-qh95-2qv8-pqx3",
"discovery": "UNKNOWN"
},
"title": "grist-core has path to server-side requests via websocket"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64752",
"datePublished": "2025-11-13T21:43:57.610Z",
"dateReserved": "2025-11-10T22:29:34.873Z",
"dateUpdated": "2025-11-14T17:10:33.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56359 (GCVE-0-2024-56359)
Vulnerability from nvd – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:49
VLAI
EPSS
VEX
Title
Cross-site Scripting vulnerability through HyperLink cells in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid clicking on HyperLink cell links using a control modifier in documents prepared by people they do not trust.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/a7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56359",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:49:18.855510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:49:50.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid clicking on HyperLink cell links using a control modifier in documents prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:55.622Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qv69-5cj2-53r9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qv69-5cj2-53r9"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4"
}
],
"source": {
"advisory": "GHSA-qv69-5cj2-53r9",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through HyperLink cells in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56359",
"datePublished": "2024-12-20T20:24:55.622Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:49:50.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56358 (GCVE-0-2024-56358)
Vulnerability from nvd – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:53
VLAI
EPSS
VEX
Title
Cross-site Scripting vulnerability through svg attachment previews in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid previewing attachments in documents prepared by people they do not trust.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/a7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:53:15.510364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:53:26.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid previewing attachments in documents prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:53.932Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-jvfm-gf4f-33q3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-jvfm-gf4f-33q3"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4"
}
],
"source": {
"advisory": "GHSA-jvfm-gf4f-33q3",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through svg attachment previews in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56358",
"datePublished": "2024-12-20T20:24:53.932Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:53:26.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56357 (GCVE-0-2024-56357)
Vulnerability from nvd – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:56
VLAI
EPSS
VEX
Title
Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/10… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:56:05.803853Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:56:14.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:51.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-cq5q-cqr7-vmf6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-cq5q-cqr7-vmf6"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/10b069005ec8d5f511e6554a56111d8f257f029e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/10b069005ec8d5f511e6554a56111d8f257f029e"
}
],
"source": {
"advisory": "GHSA-cq5q-cqr7-vmf6",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56357",
"datePublished": "2024-12-20T20:24:51.149Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:56:14.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-55664 (GCVE-0-2026-55664)
Vulnerability from cvelistv5 – Published: 2026-07-10 20:59 – Updated: 2026-07-13 18:55
VLAI
EPSS
VEX
Title
Grist: Insufficient access control in the /forms endpoint exposes table metadata
Summary
Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document's access rules and did not check that the requested section was actually a form. A user with only partial read access, including public access on a publicly viewable document, could request the metadata of any widget and reveal table and column structure that access rules would otherwise hide, even in documents that contain no forms. This issue is fixed in version 1.7.15.
Severity
4.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/14… | x_refsource_MISC |
| https://github.com/gristlabs/grist-core/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55664",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T18:34:28.495573Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T18:55:09.131Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, the GET /forms endpoint read table and column metadata without applying the document\u0027s access rules and did not check that the requested section was actually a form. A user with only partial read access, including public access on a publicly viewable document, could request the metadata of any widget and reveal table and column structure that access rules would otherwise hide, even in documents that contain no forms. This issue is fixed in version 1.7.15."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:59:12.603Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-w2hc-w6cg-xvh9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-w2hc-w6cg-xvh9"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/14694156fe99c438c5f7a452ad367e933bb194db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/14694156fe99c438c5f7a452ad367e933bb194db"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15"
}
],
"source": {
"advisory": "GHSA-w2hc-w6cg-xvh9",
"discovery": "UNKNOWN"
},
"title": "Grist: Insufficient access control in the /forms endpoint exposes table metadata"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55664",
"datePublished": "2026-07-10T20:59:12.603Z",
"dateReserved": "2026-06-17T00:05:03.777Z",
"dateUpdated": "2026-07-13T18:55:09.131Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55665 (GCVE-0-2026-55665)
Vulnerability from cvelistv5 – Published: 2026-07-10 20:58 – Updated: 2026-07-14 14:11
VLAI
EPSS
VEX
Title
DOM-based XSS in Grist via unsanitized links, enabling privilege escalation
Summary
Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, Grist contained two cross-site scripting vulnerabilities where an attacker-controlled value reached a link's href without scheme validation, so a javascript URL could run in a victim's Grist origin on a single click. On the account-selection page, /welcome/select-account used its next query parameter as the account buttons' link target. In document tours, the GristDocTour table's Link_URL column became a clickable button, allowing an editor of a shared document to store a javascript URL there that ran when another user opened the document and clicked the tour link. Because the script runs in the victim's authenticated session, it can call Grist APIs as the victim, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/5d… | x_refsource_MISC |
| https://github.com/gristlabs/grist-core/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55665",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-14T14:11:20.375073Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-14T14:11:49.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, Grist contained two cross-site scripting vulnerabilities where an attacker-controlled value reached a link\u0027s href without scheme validation, so a javascript URL could run in a victim\u0027s Grist origin on a single click. On the account-selection page, /welcome/select-account used its next query parameter as the account buttons\u0027 link target. In document tours, the GristDocTour table\u0027s Link_URL column became a clickable button, allowing an editor of a shared document to store a javascript URL there that ran when another user opened the document and clicked the tour link. Because the script runs in the victim\u0027s authenticated session, it can call Grist APIs as the victim, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:58:24.755Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-7f6v-vghq-34xq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-7f6v-vghq-34xq"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/5d0a90a162b5125fce7e8a86fb137eee5199dbde",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/5d0a90a162b5125fce7e8a86fb137eee5199dbde"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15"
}
],
"source": {
"advisory": "GHSA-7f6v-vghq-34xq",
"discovery": "UNKNOWN"
},
"title": "DOM-based XSS in Grist via unsanitized links, enabling privilege escalation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55665",
"datePublished": "2026-07-10T20:58:24.755Z",
"dateReserved": "2026-06-17T00:05:03.777Z",
"dateUpdated": "2026-07-14T14:11:49.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-55659 (GCVE-0-2026-55659)
Vulnerability from cvelistv5 – Published: 2026-07-10 20:57 – Updated: 2026-07-13 16:01
VLAI
EPSS
VEX
Title
Grist: XSS through unsafe value interpolation in server-rendered pages
Summary
Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document's name or description, set by a document editor, is rendered into the page that other users load when opening the document. On the OAuth2 end-of-flow page, the openerOrigin request parameter was reflected back into the served page. Injected script runs in the victim's Grist origin and can act through the authenticated session, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/4c… | x_refsource_MISC |
| https://github.com/gristlabs/grist-core/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-55659",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-13T16:01:16.076169Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-13T16:01:23.973Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document\u0027s name or description, set by a document editor, is rendered into the page that other users load when opening the document. On the OAuth2 end-of-flow page, the openerOrigin request parameter was reflected back into the served page. Injected script runs in the victim\u0027s Grist origin and can act through the authenticated session, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:57:39.281Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-6qrq-h2h6-cw54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-6qrq-h2h6-cw54"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/4ced8064b7ea0e1763d5a6a2588b22774ce7efbc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/4ced8064b7ea0e1763d5a6a2588b22774ce7efbc"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15"
}
],
"source": {
"advisory": "GHSA-6qrq-h2h6-cw54",
"discovery": "UNKNOWN"
},
"title": "Grist: XSS through unsafe value interpolation in server-rendered pages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55659",
"datePublished": "2026-07-10T20:57:39.281Z",
"dateReserved": "2026-06-17T00:05:03.777Z",
"dateUpdated": "2026-07-13T16:01:23.973Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24002 (GCVE-0-2026-24002)
Vulnerability from cvelistv5 – Published: 2026-01-22 02:26 – Updated: 2026-01-22 12:54
VLAI
EPSS
VEX
Title
pyodide sandbox option is insecure
Summary
Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://support.getgrist.com/self-managed/#how-do… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.9
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24002",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-22T12:52:12.413052Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T12:54:32.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.9"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-22T02:26:28.765Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g"
},
{
"name": "https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents",
"tags": [
"x_refsource_MISC"
],
"url": "https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents"
}
],
"source": {
"advisory": "GHSA-7xvx-8pf2-pv5g",
"discovery": "UNKNOWN"
},
"title": "pyodide sandbox option is insecure"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24002",
"datePublished": "2026-01-22T02:26:28.765Z",
"dateReserved": "2026-01-19T18:49:20.658Z",
"dateUpdated": "2026-01-22T12:54:32.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64753 (GCVE-0-2025-64753)
Vulnerability from cvelistv5 – Published: 2025-11-13 21:46 – Updated: 2025-11-14 16:17
VLAI
EPSS
VEX
Title
grist-core has insufficient access control in endpoints for comparisons between documents and versions
Summary
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64753",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T16:12:20.392850Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T16:17:23.927Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or tables to which the user was not supposed to have read access. This was fixed in version 1.7.7 by restricting the `/compare` endpoint to users with full read access. As a workaround, remove sensitive document history using the `/states/remove` endpoint. Another possibility is to block the `/compare` endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:46:00.508Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-3v78-cw58-v685"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7"
}
],
"source": {
"advisory": "GHSA-3v78-cw58-v685",
"discovery": "UNKNOWN"
},
"title": "grist-core has insufficient access control in endpoints for comparisons between documents and versions"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64753",
"datePublished": "2025-11-13T21:46:00.508Z",
"dateReserved": "2025-11-10T22:29:34.874Z",
"dateUpdated": "2025-11-14T16:17:23.927Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64752 (GCVE-0-2025-64752)
Vulnerability from cvelistv5 – Published: 2025-11-13 21:43 – Updated: 2025-11-14 17:10
VLAI
EPSS
VEX
Title
grist-core has path to server-side requests via websocket
Summary
grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials.
Severity
6.8 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.7
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64752",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-14T16:25:04.348078Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-14T17:10:33.307Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.7"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T21:43:57.610Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qh95-2qv8-pqx3"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.7"
}
],
"source": {
"advisory": "GHSA-qh95-2qv8-pqx3",
"discovery": "UNKNOWN"
},
"title": "grist-core has path to server-side requests via websocket"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64752",
"datePublished": "2025-11-13T21:43:57.610Z",
"dateReserved": "2025-11-10T22:29:34.873Z",
"dateUpdated": "2025-11-14T17:10:33.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-56359 (GCVE-0-2024-56359)
Vulnerability from cvelistv5 – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:49
VLAI
EPSS
VEX
Title
Cross-site Scripting vulnerability through HyperLink cells in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid clicking on HyperLink cell links using a control modifier in documents prepared by people they do not trust.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/a7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56359",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:49:18.855510Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:49:50.232Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document and clicking on a link in a HyperLink cell using a control modifier (meaning for example Ctrl+click) could have their account compromised, since the link could use the javascript: scheme and be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid clicking on HyperLink cell links using a control modifier in documents prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:55.622Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qv69-5cj2-53r9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-qv69-5cj2-53r9"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4"
}
],
"source": {
"advisory": "GHSA-qv69-5cj2-53r9",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through HyperLink cells in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56359",
"datePublished": "2024-12-20T20:24:55.622Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:49:50.232Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56358 (GCVE-0-2024-56358)
Vulnerability from cvelistv5 – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:53
VLAI
EPSS
VEX
Title
Cross-site Scripting vulnerability through svg attachment previews in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid previewing attachments in documents prepared by people they do not trust.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/a7… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.2
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56358",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:53:15.510364Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:53:26.149Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document and previewing an attachment could have their account compromised, because JavaScript in an SVG file would be evaluated in the context of their current page. This issue has been patched in version 1.3.2. Users are advised to upgrade. Users unable to upgrade should avoid previewing attachments in documents prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:53.932Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-jvfm-gf4f-33q3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-jvfm-gf4f-33q3"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/a792bdc43b456dbdd6fdc50d8747f4c349fab2f4"
}
],
"source": {
"advisory": "GHSA-jvfm-gf4f-33q3",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through svg attachment previews in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56358",
"datePublished": "2024-12-20T20:24:53.932Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:53:26.149Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-56357 (GCVE-0-2024-56357)
Vulnerability from cvelistv5 – Published: 2024-12-20 20:24 – Updated: 2024-12-24 15:56
VLAI
EPSS
VEX
Title
Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core
Summary
grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/10… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.3.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-56357",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-24T15:56:05.803853Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-24T15:56:14.305Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "grist-core is a spreadsheet hosting server. A user visiting a malicious document or submitting a malicious form could have their account compromised, because it was possible to use the `javascript:` scheme with custom widget URLs and form redirect URLs. This issue has been patched in version 1.3.1. Users are advised to upgrade. Users unable to upgrade should avoid visiting documents or forms prepared by people they do not trust."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T20:24:51.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-cq5q-cqr7-vmf6",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-cq5q-cqr7-vmf6"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/10b069005ec8d5f511e6554a56111d8f257f029e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/10b069005ec8d5f511e6554a56111d8f257f029e"
}
],
"source": {
"advisory": "GHSA-cq5q-cqr7-vmf6",
"discovery": "UNKNOWN"
},
"title": "Cross-site Scripting vulnerability through custom widget URLs and form redirect URLs in grist-core"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-56357",
"datePublished": "2024-12-20T20:24:51.149Z",
"dateReserved": "2024-12-20T17:29:55.861Z",
"dateUpdated": "2024-12-24T15:56:14.305Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}