{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-03T10:43:37.315","vulnerabilities":[{"cve":{"id":"CVE-2026-24002","sourceIdentifier":"security-advisories@github.com","published":"2026-01-22T03:15:47.777","lastModified":"2026-02-17T17:59:16.383","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting  `GRIST_SANDBOX_FLAVOR` to `gvisor`."},{"lang":"es","value":"Grist es un software de hoja de cálculo que utiliza Python como su lenguaje de fórmulas. Grist ofrece varios métodos para ejecutar esas fórmulas en un sandbox, para casos en los que el usuario podría estar trabajando con hojas de cálculo no confiables. Uno de esos métodos los ejecuta en pyodide, pero pyodide en node no tiene una barrera de sandbox útil. Si un usuario de Grist establece 'GRIST_SANDBOX_FLAVOR' en 'pyodide' y abre un documento malicioso, ese documento podría ejecutar procesos arbitrarios en el servidor que aloja Grist. El problema se ha abordado en Grist versión 1.7.9 y posteriores, ejecutando pyodide bajo deno. Como solución alternativa, un usuario puede usar el sandbox basado en gvisor estableciendo 'GRIST_SANDBOX_FLAVOR' en 'gvisor'."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H","baseScore":9.0,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"HIGH","privilegesRequired":"NONE","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.2,"impactScore":6.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H","baseScore":9.6,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-74"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:getgrist:grist-core:*:*:*:*:*:*:*:*","versionEndExcluding":"1.7.9","matchCriteriaId":"9F8A7C5C-5BE0-4EA5-BB48-F038908933ED"}]}]}],"references":[{"url":"https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents","source":"security-advisories@github.com","tags":["Patch"]}]}}]}