CVE-2026-55659

GristLabs · Grist-core

Grist-core is vulnerable to Cross-site Scripting (XSS) due to improper output encoding, allowing authenticated attackers to execute arbitrary scripts in a victim's browser.

Executive summary

An authenticated Cross-site Scripting (XSS) vulnerability in Grist-core permits attackers to execute malicious code, leading to potential account takeover or unauthorized data manipulation.

Vulnerability

The vulnerability stems from improper output encoding (CWE-116) and neutralization of input (CWE-79). It requires an authenticated user with low-level privileges to trigger the malicious script in a victim's browser session.

Business impact

While this vulnerability requires authentication, the potential for cross-site scripting allows an attacker to elevate their influence by targeting more privileged users. The CVSS score of 7.7 reflects the high impact on confidentiality and integrity, potentially leading to unauthorized data exfiltration or administrative action by proxy.

Remediation

Immediate Action: Update Grist-core to version 1.7.15 or later to resolve the underlying encoding and neutralization flaws.

Proactive Monitoring: Review application access logs for unusual activity associated with lower-privileged accounts and inspect user-generated content for suspicious script tags.

Compensating Controls: Enforce strict session management and use browser-based security features like CSP to prevent the execution of unauthorized scripts.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Security teams should prioritize patching Grist-core to version 1.7.15. Ensuring all users are on the latest version mitigates the risk of internal privilege escalation via XSS and protects the integrity of the spreadsheet data.