""One malicious formula can turn a spreadsheet into a Remote Code Execution (RCE) beachhead," security researcher Vladimir Tokarev, who discovered the flaw, said. "This sandbox escape lets a formula author execute OS commands or run host‑runtime JavaScript, collapsing the boundary between 'cell logic' and host execution." Cellbreak is categorized as a case of Pyodide sandbox escape, the same kind of vulnerability that also recently impacted n8n ( CVE-2025-68668, CVSS score: 9.9, aka N8scape)."
""In a nutshell, the problem is rooted in Grist's Python formula execution, which allows untrusted formulas to be run inside Pyodide, a Python distribution that enables regular Python code to be executed directly in a web browser within the confines of a WebAssembly ( WASM) sandbox. While the idea behind this thought process is to ensure that Python formula code is run in an isolated environment, the fact that Grist uses a blocklist-style approach makes it possible to escape the sandbox.""
A high-severity Pyodide sandbox escape in Grist-Core (CVE-2026-24002, CVSS 9.1) allows malicious formulas to execute OS commands or host‑runtime JavaScript, enabling remote code execution. The vulnerability, named Cellbreak, abuses Grist's Python formula execution and a blocklist-style sandboxing approach that leaves ctypes and Python class traversal available, permitting escape from the WebAssembly (WASM) environment. The flaw mirrors prior Pyodide sandbox escapes such as the N8scape issue affecting n8n. Affected instances using the 'pyodide' sandbox should be upgraded; Grist 1.7.9, released January 9, 2026, contains the remediation.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]