• Home
  • cyber
  • Grist-Core and France’s public sector educational institutions: Grist-Core Vulnerability Enables Malicious Remote Code Execution via Crafted Spreadsheet Formulas
cyber Vulnerability

Grist-Core and France’s public sector educational institutions: Grist-Core Vulnerability Enables Malicious Remote Code Execution via Crafted Spreadsheet Formulas

Jan 20, 2026 3 min read
Grist-Core and France’s public sector educational institutions: Grist-Core Vulnerability Enables Malicious Remote Code Execution via Crafted Spreadsheet Formulas

Critical Sandbox Escape Flaw in Grist-Core Patched After Disclosure by Cyera Research Labs

A high-severity sandbox escape vulnerability in Grist-Core, tracked as GHSA-7xvx-8pf2-pv5g (CVSS 9.1), has been patched following responsible disclosure by Cyera Research Labs. The flaw allowed attackers to achieve remote code execution (RCE) by exploiting malicious spreadsheet formulas that bypassed the platform’s Pyodide WebAssembly sandbox, exposing sensitive data and downstream systems.

Vulnerability Details & Impact

Grist-Core, a relational spreadsheet platform, is used by over 1,000 organizations, including France’s public sector educational institutions, to model business data, automate workflows, and integrate Python-based formulas. The platform operates in SaaS and self-hosted configurations, making it a critical data hub with access to customer records, operational metrics, and integration credentials.

In SaaS deployments, a successful exploit could lead to RCE within the vendor’s control plane, potentially compromising multi-tenant workflows, credentials, and connected systems.

Exploit Vectors & Patch

Cyera Research Labs identified three distinct sandbox escape methods:

  1. Python Class Hierarchy Traversal – Exploited warnings.catch_warnings to access full built-ins, enabling direct imports of the os module and command execution via os.system().
  2. Direct C Library Access – Leveraged ctypes to call ctypes.CDLL(None).system(), loading the system() function from libc via the Emscripten runtime.
  3. Emscripten Runtime Manipulation – Used emscripten_run_script_string() to execute JavaScript in the host runtime, gaining access to require('child_process') and process.env for full host compromise.

Grist released version 1.7.9 on January 20, 2026, addressing the issue by migrating Pyodide formula execution under Deno by default. This introduces a permission-based mediation layer, blocking sensitive operations unless explicitly granted. Organizations must ensure the GRIST_PYODIDE_SKIP_DENO flag is disabled, as enabling it reintroduces the vulnerability.

The patch shifts Grist’s security model from a blocklist-based sandbox to a capability-based approach, significantly reducing the risk of formula-based exploitation.

Source: https://cyberpress.org/grist-core-vulnerability/

Grist Labs cybersecurity rating report: https://www.rankiteo.com/company/grist-labs

Campus France cybersecurity rating report: https://www.rankiteo.com/company/campusfrance

"id": "GRICAM1769683332",
"linkid": "grist-labs, campusfrance",
"type": "Vulnerability",
"date": "1/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Technology, Education (public sector)',
                        'location': 'Global (notably France)',
                        'name': 'Grist-Core',
                        'size': '1,000+ organizations',
                        'type': 'Software Platform'}],
 'attack_vector': 'Malicious spreadsheet formulas',
 'data_breach': {'sensitivity_of_data': 'High',
                 'type_of_data_compromised': 'Customer records, operational '
                                             'metrics, integration '
                                             'credentials'},
 'date_publicly_disclosed': '2026-01-20',
 'date_resolved': '2026-01-20',
 'description': 'A high-severity sandbox escape vulnerability in Grist-Core, '
                'tracked as GHSA-7xvx-8pf2-pv5g (CVSS 9.1), has been patched '
                'following responsible disclosure by Cyera Research Labs. The '
                'flaw allowed attackers to achieve remote code execution (RCE) '
                'by exploiting malicious spreadsheet formulas that bypassed '
                'the platform’s Pyodide WebAssembly sandbox, exposing '
                'sensitive data and downstream systems.',
 'impact': {'data_compromised': 'Sensitive data, customer records, operational '
                                'metrics, integration credentials',
            'operational_impact': 'Remote code execution (RCE) within vendor’s '
                                  'control plane, potential compromise of '
                                  'multi-tenant workflows and connected '
                                  'systems',
            'systems_affected': 'Grist-Core SaaS and self-hosted deployments'},
 'investigation_status': 'Resolved',
 'lessons_learned': 'Shift from blocklist-based sandbox to capability-based '
                    'security model reduces risk of formula-based '
                    'exploitation.',
 'post_incident_analysis': {'corrective_actions': 'Migration to Deno-based '
                                                  'execution with '
                                                  'permission-based mediation, '
                                                  'disabling vulnerable flags',
                            'root_causes': 'Insecure Pyodide WebAssembly '
                                           'sandbox allowing Python class '
                                           'hierarchy traversal, direct C '
                                           'library access, and Emscripten '
                                           'runtime manipulation'},
 'recommendations': 'Ensure GRIST_PYODIDE_SKIP_DENO flag is disabled to '
                    'prevent reintroduction of the vulnerability. Migrate to '
                    'Deno-based execution for enhanced security.',
 'references': [{'source': 'Cyera Research Labs'}],
 'response': {'containment_measures': 'Patch released (version 1.7.9), '
                                      'migration of Pyodide formula execution '
                                      'under Deno by default',
              'remediation_measures': 'Disabled GRIST_PYODIDE_SKIP_DENO flag, '
                                      'introduced permission-based mediation '
                                      'layer',
              'third_party_assistance': 'Cyera Research Labs'},
 'title': 'Critical Sandbox Escape Flaw in Grist-Core Patched After Disclosure '
          'by Cyera Research Labs',
 'type': 'Sandbox Escape Vulnerability',
 'vulnerability_exploited': 'GHSA-7xvx-8pf2-pv5g (CVSS 9.1)'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.