Critical Grist-Core Vulnerability Allows RCE Attacks via Spreadsheet Formulas

Hold up, tech fam — your spreadsheets just got weaponized. A critical vulnerability in Grist-Core (CVE-2026-24002, CVSS 9.1) lets attackers execute remote code through malicious formulas. Yeah, you read that right: a simple spreadsheet cell can now become a backdoor.

The flaw kicks in when Pyodide sandboxing is enabled — the very feature meant to keep you safe. Instead, it becomes the attack vector. This isn't just theoretical; it's a full-blown RCE (Remote Code Execution) vulnerability that could let bad actors take over your system.

Grist-Core is an open-source spreadsheet and database platform, and this vulnerability affects all deployments using Pyodide for formula execution. The sandbox escape allows attackers to bypass security controls and run arbitrary code on the host system.

This is a classic case of security features backfiring. Pyodide, which runs Python in the browser via WebAssembly, was supposed to isolate formula execution. Instead, it's the weak link that enables the exploit.

If you're running Grist-Core in your stack, you need to patch this immediately. The vulnerability is already public, meaning exploit code could drop any minute. This isn't just about data leaks — it's about complete system compromise.

The fix involves updating to the latest Grist-Core version that addresses the sandbox escape. Don't wait for an attack — patch now. Spreadsheets should calculate numbers, not execute shell commands.