CVE-2026-55665

GristLabs · Grist-core

Grist-core is vulnerable to Cross-site Scripting (XSS), which may allow an unauthenticated, remote attacker to execute arbitrary scripts in a user's browser via crafted input.

Executive summary

A high-severity Cross-site Scripting (XSS) vulnerability in Grist-core allows remote attackers to compromise user sessions and perform unauthorized actions within the application.

Vulnerability

The application fails to properly neutralize user-supplied input during web page generation (CWE-79). This allows an unauthenticated attacker to inject malicious scripts that execute within the context of the victim's session.

Business impact

Exploitation of this vulnerability can result in the theft of session cookies, unauthorized access to sensitive spreadsheet data, or the execution of malicious actions on behalf of authenticated users. With a CVSS score of 8.5, this represents a significant risk to data integrity and user confidentiality within the Grist environment.

Remediation

Immediate Action: Update Grist-core to version 1.7.15 or later immediately.

Proactive Monitoring: Monitor application logs for suspicious script injections or unusual patterns in user-submitted data fields.

Compensating Controls: Utilize Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed, thereby mitigating the impact of potential XSS attacks.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the high impact on data confidentiality and integrity, organizations must treat this update with urgency. Deploying version 1.7.15 is the only reliable method to eliminate this injection vector.