CVE-2026-55665
GristLabs · Grist-core
Grist-core is vulnerable to Cross-site Scripting (XSS), which may allow an unauthenticated, remote attacker to execute arbitrary scripts in a user's browser via crafted input.
Executive summary
A high-severity Cross-site Scripting (XSS) vulnerability in Grist-core allows remote attackers to compromise user sessions and perform unauthorized actions within the application.
Vulnerability
The application fails to properly neutralize user-supplied input during web page generation (CWE-79). This allows an unauthenticated attacker to inject malicious scripts that execute within the context of the victim's session.
Business impact
Exploitation of this vulnerability can result in the theft of session cookies, unauthorized access to sensitive spreadsheet data, or the execution of malicious actions on behalf of authenticated users. With a CVSS score of 8.5, this represents a significant risk to data integrity and user confidentiality within the Grist environment.
Remediation
Immediate Action: Update Grist-core to version 1.7.15 or later immediately.
Proactive Monitoring: Monitor application logs for suspicious script injections or unusual patterns in user-submitted data fields.
Compensating Controls: Utilize Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed, thereby mitigating the impact of potential XSS attacks.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the high impact on data confidentiality and integrity, organizations must treat this update with urgency. Deploying version 1.7.15 is the only reliable method to eliminate this injection vector.