CVE-2026-55659 in grist-coreinfo

Summary

by MITRE • 07/10/2026

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document's name or description, set by a document editor, is rendered into the page that other users load when opening the document. On the OAuth2 end-of-flow page, the openerOrigin request parameter was reflected back into the served page. Injected script runs in the victim's Grist origin and can act through the authenticated session, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

This vulnerability represents a critical cross-site scripting flaw in Grist spreadsheet software that affects versions prior to 1.7.15. The security issue stems from improper input sanitization and output encoding practices within the server-rendered web pages, creating an avenue for malicious code injection that can be exploited by document editors to gain elevated privileges. The vulnerability manifests through multiple attack vectors that leverage user-controllable data inputs without adequate validation or escaping mechanisms.

The technical implementation of this flaw occurs in two primary locations within Grist's web application architecture. On the main application page, document metadata including document names and descriptions that are editable by document editors are directly embedded into HTML output without proper sanitization, allowing malicious input to be rendered as executable script code. Additionally, the OAuth2 end-of-flow page contains a reflected parameter vulnerability where the openerOrigin request parameter is directly incorporated back into the served HTML response without appropriate escaping. These injection points create persistent XSS opportunities that enable attackers to execute arbitrary JavaScript code within the context of authenticated user sessions.

The operational impact of this vulnerability extends beyond simple script execution, as it provides document editors with the ability to escalate their privileges to owner-level access within affected documents. When malicious scripts execute in the victim's browser context, they can leverage the authenticated session to perform actions such as reading sensitive data, modifying document content, changing sharing settings, and altering access rules that control who can view or edit specific document elements. This privilege escalation capability fundamentally undermines the security model of Grist's collaborative document environment where different user roles should maintain distinct access controls.

From a cybersecurity perspective, this vulnerability aligns with CWE-79 (Cross-site Scripting) and represents a classic example of insufficient input validation combined with improper output encoding practices that violate fundamental web application security principles. The ATT&CK framework categorizes this as a technique for code injection within the context of web application exploitation, specifically targeting the execution of malicious scripts in user browsers through DOM-based XSS vulnerabilities. The attack chain requires minimal prerequisites since document editors already possess legitimate access to modify content, making this vulnerability particularly dangerous in collaborative environments where multiple users have editing privileges.

The recommended mitigation strategy involves upgrading to Grist version 1.7.15 or later, which implements proper input sanitization and output encoding mechanisms for all user-controllable data elements. Organizations should also implement additional defensive measures including strict Content Security Policy headers, regular security scanning of web applications, and monitoring for suspicious document modifications that could indicate exploitation attempts. Administrators should consider implementing role-based access controls that limit document editing privileges to trusted users only, while also conducting regular security awareness training for all users who have access to modify document metadata or content.

Responsible

GitHub M

Reservation

06/17/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!