PatchSiren cyber security CVE debrief
CVE-2026-55665 gristlabs CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:56.847Z and has not been modified since then. Grist spreadsheet software, using Python as its formula language, contained two cross-site scripting vulnerabilities prior to version 1.7.15. An attacker-controlled value could reach a link's href without scheme validation, allowing a JavaScript URL to run in a victim's Grist origin on a single click. This occurred in two scenarios: 1) On the account-selection page, /welcome/select-account used its next query parameter as the account buttons' link target. 2) In document tours, the GristDocTour table's Link_URL column became a clickable button, allowing an editor of a shared document to store a JavaScript URL that ran when another user opened the document and clicked the tour link. The script runs in the victim's authenticated session, enabling the attacker to call Grist APIs as the victim, read or modify data, change sharing settings, and access rules. A document editor could therefore escalate to owner-level access. Users of Grist spreadsheet software, particularly those with shared documents or accounts, should be aware of this vulnerability. An attacker could exploit this issue to run JavaScript code in a victim's Grist origin, potentially escalating to owner-level access. High priority should be given to updating Grist to version 1.7.15 or later. Users should also be cautious when clicking on links within Grist, especially those from untrusted sources.
- Vendor
- gristlabs
- Product
- grist-core
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Grist spreadsheet software, particularly those with shared documents or accounts, should be aware of this vulnerability. An attacker could exploit this issue to run JavaScript code in a victim's Grist origin, potentially escalating to owner-level access.
Technical summary
Grist spreadsheet software, using Python as its formula language, contained two cross-site scripting vulnerabilities prior to version 1.7.15. An attacker-controlled value could reach a link's href without scheme validation, allowing a JavaScript URL to run in a victim's Grist origin on a single click. This occurred in two scenarios: 1) On the account-selection page, /welcome/select-account used its next query parameter as the account buttons' link target. 2) In document tours, the GristDocTour table's Link_URL column became a clickable button, allowing an editor of a shared document to store a JavaScript URL that ran when another user opened the document and clicked the tour link. The script runs in the victim's authenticated session, enabling the attacker to call Grist APIs as the victim, read or modify data, change sharing settings, and access rules. A document editor could therefore escalate to owner-level access.
Defensive priority
High priority should be given to updating Grist to version 1.7.15 or later. Users should also be cautious when clicking on links within Grist, especially those from untrusted sources.
Recommended defensive actions
- Update Grist to version 1.7.15 or later
- Implement additional monitoring for suspicious link clicks
- Educate users about the risks of clicking on untrusted links within Grist
- Review and update access controls for Grist documents and accounts
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review compensating controls for exposed systems while remediation is scheduled and verified.
- Track exceptions, retest remediated assets, and close the item only after evidence is documented.
Evidence notes
The CVE record and NVD detail provide information about the vulnerability and its fix. GitHub references offer additional context and the patched version. Evidence is limited to public sources and may not cover all affected systems or deployment scenarios. Defenders should verify the vulnerability's presence and impact within their specific environments. Additional information from Grist's official documentation or security advisories may be necessary for comprehensive risk assessment.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T21:16:56.847Z and has not been modified since then.