CVE-2026-55659 (GCVE-0-2026-55659)
Vulnerability from cvelistv5 – Published: 2026-07-10 20:57 – Updated: 2026-07-10 20:57
VLAI
EPSS
VEX
Title
Grist: XSS through unsafe value interpolation in server-rendered pages
Summary
Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document's name or description, set by a document editor, is rendered into the page that other users load when opening the document. On the OAuth2 end-of-flow page, the openerOrigin request parameter was reflected back into the served page. Injected script runs in the victim's Grist origin and can act through the authenticated session, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.
Severity
7.7 (High)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/gristlabs/grist-core/security/… | x_refsource_CONFIRM |
| https://github.com/gristlabs/grist-core/commit/4c… | x_refsource_MISC |
| https://github.com/gristlabs/grist-core/releases/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gristlabs | grist-core |
Affected:
< 1.7.15
|
{
"containers": {
"cna": {
"affected": [
{
"product": "grist-core",
"vendor": "gristlabs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.7.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document\u0027s name or description, set by a document editor, is rendered into the page that other users load when opening the document. On the OAuth2 end-of-flow page, the openerOrigin request parameter was reflected back into the served page. Injected script runs in the victim\u0027s Grist origin and can act through the authenticated session, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-10T20:57:39.281Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-6qrq-h2h6-cw54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-6qrq-h2h6-cw54"
},
{
"name": "https://github.com/gristlabs/grist-core/commit/4ced8064b7ea0e1763d5a6a2588b22774ce7efbc",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/commit/4ced8064b7ea0e1763d5a6a2588b22774ce7efbc"
},
{
"name": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gristlabs/grist-core/releases/tag/v1.7.15"
}
],
"source": {
"advisory": "GHSA-6qrq-h2h6-cw54",
"discovery": "UNKNOWN"
},
"title": "Grist: XSS through unsafe value interpolation in server-rendered pages"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-55659",
"datePublished": "2026-07-10T20:57:39.281Z",
"dateReserved": "2026-06-17T00:05:03.777Z",
"dateUpdated": "2026-07-10T20:57:39.281Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-55659",
"date": "2026-07-12",
"epss": "0.00275",
"percentile": "0.19369"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-55659\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-07-10T21:16:56.577\",\"lastModified\":\"2026-07-10T21:16:56.577\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document\u0027s name or description, set by a document editor, is rendered into the page that other users load when opening the document. On the OAuth2 end-of-flow page, the openerOrigin request parameter was reflected back into the served page. Injected script runs in the victim\u0027s Grist origin and can act through the authenticated session, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.\"}],\"affected\":[{\"source\":\"security-advisories@github.com\",\"affectedData\":[{\"vendor\":\"gristlabs\",\"product\":\"grist-core\",\"versions\":[{\"version\":\"\u003c 1.7.15\",\"status\":\"affected\"}]}]}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N\",\"baseScore\":7.7,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.3,\"impactScore\":5.8}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"},{\"lang\":\"en\",\"value\":\"CWE-116\"}]}],\"references\":[{\"url\":\"https://github.com/gristlabs/grist-core/commit/4ced8064b7ea0e1763d5a6a2588b22774ce7efbc\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gristlabs/grist-core/releases/tag/v1.7.15\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/gristlabs/grist-core/security/advisories/GHSA-6qrq-h2h6-cw54\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…