CVE-2026-55665 in grist-core
Summary
by MITRE • 07/11/2026
Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, Grist contained two cross-site scripting vulnerabilities where an attacker-controlled value reached a link's href without scheme validation, so a javascript URL could run in a victim's Grist origin on a single click. On the account-selection page, /welcome/select-account used its next query parameter as the account buttons' link target. In document tours, the GristDocTour table's Link_URL column became a clickable button, allowing an editor of a shared document to store a javascript URL there that ran when another user opened the document and clicked the tour link. Because the script runs in the victim's authenticated session, it can call Grist APIs as the victim, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/11/2026
This vulnerability affects Grist spreadsheet software where Python serves as the formula language environment. The security flaws stem from inadequate validation of URL schemes in link generation processes, creating conditions where attacker-controlled content can execute malicious javascript code within the victim's authenticated session context. The vulnerability manifests through two distinct attack vectors that exploit different components of the application's user interface and navigation systems.
The first vulnerability occurs on the account-selection page at /welcome/select-account where the application directly uses the next query parameter as the href attribute for account buttons without proper scheme validation. This allows an attacker to craft malicious URLs containing javascript protocols that execute when users click on the account selection links. The second vulnerability exists within document tours functionality where the GristDocTour table's Link_URL column can be manipulated by document editors to contain javascript URLs. When other users open documents containing such tour links, clicking them triggers the malicious code execution in the victim's authenticated browser session.
Both attack vectors leverage the fundamental principle that javascript URLs can execute arbitrary code within the context of the current origin when properly triggered through user interaction. Since these vulnerabilities occur in contexts where users are already authenticated to Grist, the malicious scripts run with the privileges of the logged-in user. This creates a severe privilege escalation risk as attackers can make authenticated API calls to read, modify, or delete data while also changing sharing settings and access controls within the application.
The impact extends beyond simple data theft to full administrative control of documents and shared workspaces. An attacker with write access to a document tour can store malicious javascript URLs that execute whenever other users interact with those tours, potentially escalating privileges from editor-level access to owner-level permissions. This represents a classic cross-site scripting vulnerability pattern that aligns with CWE-79 (Cross-site Scripting) and follows attack techniques described in the MITRE ATT&CK framework under T1059.007 (Command and Scripting Interpreter: JavaScript) and T1566.001 (Phishing: Spearphishing Attachment).
The vulnerability demonstrates poor input validation and output encoding practices in web application security, specifically failing to properly sanitize user-controllable data before incorporating it into dynamic HTML elements. The fix implemented in version 1.7.15 addresses these issues through proper URL scheme validation that prevents javascript protocols from being executed as link targets while maintaining legitimate functionality for standard http/https URLs. This remediation approach aligns with security best practices outlined in OWASP Top Ten and secure coding guidelines that emphasize the importance of validating and sanitizing all user input before using it in contexts where it might be interpreted as executable code.
Organizations using Grist should immediately upgrade to version 1.7.15 or later to address these vulnerabilities, while also implementing monitoring for suspicious document tour modifications and reviewing existing shared documents for potentially malicious links. The vulnerability highlights the critical need for proper security testing of web applications, particularly those with user-generated content features that can be exploited through social engineering attacks where victims are tricked into clicking maliciously crafted links within legitimate application interfaces.