CVE-2026-55659
Received Received - Intake

Cross-Site Scripting in Grist Spreadsheet Software

Vulnerability report for CVE-2026-55659, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, several server-rendered Grist pages embedded user-controlled values into the page and into inline scripts without fully escaping them, allowing cross-site scripting. On the main application page, a document's name or description, set by a document editor, is rendered into the page that other users load when opening the document. On the OAuth2 end-of-flow page, the openerOrigin request parameter was reflected back into the served page. Injected script runs in the victim's Grist origin and can act through the authenticated session, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
grist grist to 1.7.15 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-116 The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to execute cross-site scripting (XSS) within the Grist application, potentially leading to unauthorized access to sensitive data and modification of sharing settings and access rules.

Such unauthorized access and data manipulation could result in violations of data protection regulations like GDPR and HIPAA, which require strict controls over personal and sensitive information to prevent unauthorized disclosure or alteration.

Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing or altering protected data without proper authorization.

Executive Summary

This vulnerability affects Grist spreadsheet software versions prior to 1.7.15. It occurs because several server-rendered pages embed user-controlled values into the page and inline scripts without properly escaping them, which allows cross-site scripting (XSS). Specifically, a document's name or description set by an editor is rendered into pages viewed by other users, and the OAuth2 end-of-flow page reflects a request parameter back into the page. Malicious scripts injected this way run in the victim's Grist origin and can act through their authenticated session.

As a result, an attacker who is a document editor can escalate their privileges to owner-level access by exploiting this XSS vulnerability.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access and control over documents within Grist. An attacker exploiting the cross-site scripting flaw can execute scripts in the context of the victim's authenticated session, allowing them to read or modify data, change sharing settings, and alter access rules.

Specifically, a document editor could escalate their privileges to owner-level access, potentially compromising sensitive information and control within the application.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Grist to version 1.7.15 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55659. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart