CVE- 2026-24002 is described as a critical sandbox escape in Grist-Core that allows full Remote Code Execution by abusing Grist’s Pyodide-based formula engine. According to Cyera Research Labs, the flaw carries a CVSS score of 9.1 and enables attackers to break out of the Pyodide sandbox, turning spreadsheet updates into RCE across the platform.
The researchers identify three main attack paths: class hierarchy traversal to reach built-in functions like os[.]system(), direct C library access via ctypes, and Emscripten runtime abuse using emscripten_run_script_string() to run JavaScript in the host runtime. The Grist security team patched the issue by moving Pyodide formula execution under Deno by default, changing the failure mode so host runtime is mediated by Deno’s permission model.
Administrators are urged to upgrade to Grist version 1.7.9 or later, while avoiding the option to bypass the fix via the GRIST_PYODIDE_SKIP_DENO=1 setting. The disclosure was published on 29 January 2026.