CVE-2026-24002 is a critical injection vulnerability in grist-core, a spreadsheet software that uses Python as its formula language. Grist provides multiple sandboxing methods to safely execute user formulas, including running them in pyodide, a WebAssembly-based Python runtime. However, when pyodide is run on Node.js, it lacks effective sandbox barriers, allowing malicious spreadsheet documents to execute arbitrary processes on the hosting server if the environment variable GRIST_SANDBOX_FLAVOR is set to 'pyodide'. This vulnerability stems from CWE-74, indicating improper neutralization of special elements in output used by a downstream component, which in this case is the pyodide runtime environment. The flaw enables remote code execution without requiring authentication or user interaction beyond opening a crafted document. The vulnerability affects all grist-core versions prior to 1.7.9. The issue has been addressed in version 1.7.9 by switching the pyodide runtime to run under Deno, a secure runtime for JavaScript and TypeScript that provides stronger sandboxing capabilities. As an interim mitigation, users can configure the sandbox flavor to 'gvisor', which uses a container-based sandboxing approach to isolate execution. The CVSS v3.1 score of 9.1 reflects the critical nature of this vulnerability, with network attack vector, high complexity, no privileges required, no user interaction, and a scope change that impacts confidentiality, integrity, and availability of the server. No known exploits are currently reported in the wild, but the severity and ease of exploitation make this a high-risk issue for deployments of grist-core in server environments.

For European organizations, this vulnerability poses a significant risk of server compromise, potentially leading to unauthorized data access, data manipulation, or service disruption. Organizations using grist-core to handle sensitive or regulated data (e.g., financial, healthcare, or personal data under GDPR) could face severe confidentiality breaches and compliance violations. The ability for an attacker to execute arbitrary processes on the server can lead to full system compromise, lateral movement within networks, and persistent footholds. This risk is amplified in multi-tenant or cloud-hosted environments where grist-core servers may be shared or exposed to external users. The critical CVSS score underscores the potential for widespread impact if exploited. European entities with stringent data protection laws must prioritize remediation to avoid legal and reputational damage. Additionally, disruption of business operations due to service unavailability could have financial and operational consequences.

European organizations should immediately upgrade grist-core installations to version 1.7.9 or later, which implements the secure pyodide sandbox under Deno. Until upgrading is possible, reconfigure the environment variable GRIST_SANDBOX_FLAVOR to 'gvisor' to leverage container-based sandboxing that isolates formula execution more effectively. Conduct thorough audits of existing grist-core deployments to identify any instances running vulnerable versions with the pyodide sandbox on Node.js. Implement network segmentation and strict access controls around grist-core servers to limit exposure. Monitor logs for unusual process executions or anomalies indicative of exploitation attempts. Employ application-layer firewalls or runtime application self-protection (RASP) solutions to detect and block suspicious activity. Educate users about the risks of opening untrusted spreadsheet documents. Finally, maintain up-to-date backups and incident response plans to quickly recover from potential compromises.