CVE-2026-55659
GristLabs · Grist-core
Grist-core is vulnerable to Cross-site Scripting (XSS) due to improper output encoding, allowing authenticated attackers to execute arbitrary scripts in a victim's browser.
Executive summary
An authenticated Cross-site Scripting (XSS) vulnerability in Grist-core permits attackers to execute malicious code, leading to potential account takeover or unauthorized data manipulation.
Vulnerability
The vulnerability stems from improper output encoding (CWE-116) and neutralization of input (CWE-79). It requires an authenticated user with low-level privileges to trigger the malicious script in a victim's browser session.
Business impact
While this vulnerability requires authentication, the potential for cross-site scripting allows an attacker to elevate their influence by targeting more privileged users. The CVSS score of 7.7 reflects the high impact on confidentiality and integrity, potentially leading to unauthorized data exfiltration or administrative action by proxy.
Remediation
Immediate Action: Update Grist-core to version 1.7.15 or later to resolve the underlying encoding and neutralization flaws.
Proactive Monitoring: Review application access logs for unusual activity associated with lower-privileged accounts and inspect user-generated content for suspicious script tags.
Compensating Controls: Enforce strict session management and use browser-based security features like CSP to prevent the execution of unauthorized scripts.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Security teams should prioritize patching Grist-core to version 1.7.15. Ensuring all users are on the latest version mitigates the risk of internal privilege escalation via XSS and protects the integrity of the spreadsheet data.