Cross-Site Scripting Vulnerabilities in Grist Spreadsheet Software by Grist Labs
CVE-2026-55665
What is CVE-2026-55665?
Grist, a spreadsheet application utilizing Python for its formula language, was found to have multiple cross-site scripting vulnerabilities prior to version 1.7.15. These vulnerabilities could allow an attacker to inject JavaScript code into user sessions via manipulated links. Specifically, on the account-selection page, unvalidated query parameters could be exploited to redirect users to malicious scripts. Additionally, shared document editing allowed editing of tour links in a way that could lead to the execution of arbitrary JavaScript when clicked. This could significantly compromise user data and permissions, potentially granting unauthorized access and altering sharing settings. The issue has been resolved in version 1.7.15.
Affected Version(s)
grist-core < 1.7.15
