CVE-2026-55665
Received Received - Intake

XSS in Grist Spreadsheet Software

Vulnerability report for CVE-2026-55665, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Grist is spreadsheet software using Python as its formula language. Prior to 1.7.15, Grist contained two cross-site scripting vulnerabilities where an attacker-controlled value reached a link's href without scheme validation, so a javascript URL could run in a victim's Grist origin on a single click. On the account-selection page, /welcome/select-account used its next query parameter as the account buttons' link target. In document tours, the GristDocTour table's Link_URL column became a clickable button, allowing an editor of a shared document to store a javascript URL there that ran when another user opened the document and clicked the tour link. Because the script runs in the victim's authenticated session, it can call Grist APIs as the victim, reading or modifying data and changing sharing settings and access rules. A document editor could therefore escalate to owner-level access. This issue is fixed in version 1.7.15.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-11
AI Q&A
2026-07-11
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
grist grist to 1.7.15 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to execute JavaScript in the context of an authenticated user's session, potentially reading or modifying data and changing sharing settings and access rules. This could lead to unauthorized access or data breaches.

Such unauthorized access and potential data exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access.

Executive Summary

This vulnerability affects Grist, a spreadsheet software that uses Python as its formula language. Before version 1.7.15, Grist had two cross-site scripting (XSS) vulnerabilities where attacker-controlled values were inserted into link href attributes without validating the URL scheme. This allowed an attacker to craft a javascript URL that would execute in the victim's Grist session when clicked.

Specifically, on the account-selection page (/welcome/select-account), the 'next' query parameter was used as the target for account buttons without validation. Also, in document tours, the Link_URL column in the GristDocTour table became a clickable button, allowing an editor of a shared document to insert a malicious javascript URL. When another user opened the document and clicked the tour link, the script would run.

Because the script runs in the victim's authenticated session, it can call Grist APIs as that user, enabling reading or modifying data and changing sharing settings and access rules. This means a document editor could escalate their privileges to owner-level access. The issue was fixed in version 1.7.15.

Impact Analysis

This vulnerability can have serious impacts because it allows an attacker to execute arbitrary JavaScript in the context of a victim's authenticated Grist session.

  • An attacker can read or modify data accessible to the victim.
  • An attacker can change sharing settings and access rules.
  • A document editor could escalate their privileges to owner-level access, gaining full control over documents.

Overall, this could lead to unauthorized data access, data manipulation, and loss of control over document sharing and permissions.

Mitigation Strategies

To mitigate this vulnerability, upgrade Grist to version 1.7.15 or later, where the issue has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55665. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart