CVE

CVE-2026-24002

pyodide sandbox option is insecure

CVE

CVE-2026-24002

pyodide sandbox option is insecure

Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets GRISTSANDBOXFLAVOR to pyodide and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting GRISTSANDBOXFLAVOR to gvisor.

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Related Resources

No items found.

References

https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24002.json, https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g, https://nvd.nist.gov/vuln/detail/CVE-2026-24002, https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents

Severity

9

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

0.0002%

EPSS Percentile

0.04975%

Introduced Version

Fix Available

71c7e1e5132d934ab96bef8feb63b53d6507c7a3

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-24002

CVE-2026-24002

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

9

Basic Information

Fix Critical Vulnerabilities Instantly