Cross-Site Scripting Vulnerabilities in Grist Spreadsheet Software by Grist Labs
CVE-2026-55665

8.5HIGH

Key Information:

Vendor

Gristlabs

Vendor
CVE Published:
10 July 2026

What is CVE-2026-55665?

Grist, a spreadsheet application utilizing Python for its formula language, was found to have multiple cross-site scripting vulnerabilities prior to version 1.7.15. These vulnerabilities could allow an attacker to inject JavaScript code into user sessions via manipulated links. Specifically, on the account-selection page, unvalidated query parameters could be exploited to redirect users to malicious scripts. Additionally, shared document editing allowed editing of tour links in a way that could lead to the execution of arbitrary JavaScript when clicked. This could significantly compromise user data and permissions, potentially granting unauthorized access and altering sharing settings. The issue has been resolved in version 1.7.15.

Affected Version(s)

grist-core < 1.7.15

References

CVSS V4

Score:
8.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.