Cybersecurity

Cyber: Critical Grist-core Vulnerability Allows RCE Attacks Via...

2026-01-27 0 views admin
Cyber: Critical Grist-core Vulnerability Allows RCE Attacks Via...

A critical security flaw has been disclosed in Grist‑Core, an open-source, self-hosted version of the Grist relational spreadsheet-database, that could result in remote code execution.

The vulnerability, tracked as CVE-2026-24002 (CVSS score: 9.1), has been codenamed Cellbreak by Cyera Research Labs.

"One malicious formula can turn a spreadsheet into a Remote Code Execution (RCE) beachhead," security researcher Vladimir Tokarev, who discovered the flaw, said. "This sandbox escape lets a formula author execute OS commands or run host‑runtime JavaScript, collapsing the boundary between 'cell logic' and host execution."

Cellbreak is categorized as a case of Pyodide sandbox escape, the same kind of vulnerability that also recently impacted n8n (CVE-2025-68668, CVSS score: 9.9, aka N8scape). The vulnerability has been addressed in version 1.7.9, released on January 9, 2026.

"A security review identified a vulnerability in the 'pyodide' sandboxing method that is available in Grist," the project maintainers said. "You can check if you are affected in the sandboxing section of the Admin Panel of your instance. If you see 'gvisor' there, then you are not affected. If you see 'pyodide,' then it is important to update to this version of Grist or later."

In a nutshell, the problem is rooted in Grist's Python formula execution, which allows untrusted formulas to be run inside Pyodide, a Python distribution that enables regular Python code to be executed directly in a web browser within the confines of a WebAssembly (WASM) sandbox.

While the idea behind this thought process is to ensure that Python formula code is run in an isolated environment, the fact that Grist uses a blocklist-style approach makes it possible to escape the sandbox and ultimately achieve command execution on the underlying host.

"The sandbox's design allows traversal through Python's class hierarchy and leaves ctypes available, which together open access to Emscripten runtime functions that should never be reachable from a formula cell," Tokarev explained. "That combination enables host command execution and JavaScript execution in the host runtime, with practical outcomes like filesystem access and secret exposure."

According to Grist, when a user has set GRIST_SANDBOX_FLAVOR to Pyodide and opens a malicious document, that document could be used to run arbitrary processes on the server hosting Grist. Armed with this capability to execute commands or JavaScript via a formula, an attacker can

Source: The Hacker News

🏷️ Tags

securityvulnerabilitycveattack

More from Cybersecurity

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

Cyber: Phishing Campaign Targets Freight And Logistics Orgs In The Us, Europe

2026-02-24 0
Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

Cyber: Wynn Resorts Confirms Employee Data Breach After Extortion Threat

2026-02-24 0
Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

Cyber: 1campaign Platform Helps Malicious Google Ads Evade Detection

2026-02-24 0
Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

Cyber: New Attackers Now Need Just 29 Minutes To Own A Network 2026

2026-02-24 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views