A critical vulnerability in Grist-Core, tracked as CVE-2026-24002 with a CVSS of 9.1, could allow remote code execution via malicious spreadsheet formulas, Grist’s open‑source, self‑hosted relational spreadsheet‑database. The flaw, codenamed Cellbreak by Cyera Research Labs, stems from Grist’s Python formula execution inside the Pyodide sandbox, which can be escaped to run host commands and JavaScript in the host runtime.
The problem is addressed in Grist version 1.7.9, released on 9 January 2026, and Grist notes that users can check the Admin Panel sandboxing section to see whether they are affected; if pyodide is present rather than gvisor, updating is important. According to Cyera Research Labs, a single malicious formula can turn a spreadsheet into an RCE beachhead, exploiting the sandbox traversal to access filesystem data and credentials.
Grist has moved Pyodide‑based formula execution under the Deno JavaScript runtime by default, though the risk persists if GRIST_PYODIDE_SKIP_DENO is set to 1. Users are advised to update to the latest version and, as a temporary mitigation, set GRIST_SANDBOX_FLAVOR to “gvisor.”