Grist Labs A.I CyberSecurity Scoring
Grist Labs
Company Information
Website:http://www.getgrist.com
Employees number:12
Number of followers:1,217
NAICS:5112
Industry Type:Software Development
Homepage:getgrist.com
Grist Labs Risk Score (AI oriented)
Between 700 and 749
Grist LabsSoftware Development
Updated:
10/03/2026
10/03/2026
748/1000
Moderate
Ba
Grist Labs Global Score (TPRM)
xxxx
Grist LabsSoftware Development
Score locked

Grist LabsModerate
Current Score
748Ba (MODERATE)
01000
1 incidents
-3 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
748
JUNE 2026
748
MAY 2026
748
APRIL 2026
748
MARCH 2026
748
FEBRUARY 2026
748
JANUARY 2026
750
Vulnerability
20 Jan 2026 • Grist Labs
Grist-Core and France’s public sector educational institutions: Grist-Core Vulnerability Enables Malicious Remote Code Execution via Crafted Spreadsheet Formulas
Critical Sandbox Escape Flaw in Grist-Core Patched After Disclosure by Cyera Research Labs
747
CRITICAL-3
GRICAM1769683332
Critical Sandbox Escape Flaw in Grist-Core Patched After Disclosure by Cyera Research Labs
A high-severity sandbox escape vulnerability in Grist-Core, tracked as GHSA-7xvx-8pf2-pv5g (CVSS 9.1), has been patched following responsible disclosure by Cyera Research Labs. The flaw allowed attackers to achieve remote code execution (RCE) by exploiting malicious spreadsheet formulas that bypassed the platform’s Pyodide WebAssembly sandbox, exposing sensitive data and downstream systems.
### Vulnerability Details & Impact
Grist-Core, a relational spreadsheet platform, is used by over 1,000 organizations, including France’s public sector educational institutions, to model business data, automate workflows, and integrate Python-based formulas. The platform operates in SaaS and self-hosted configurations, making it a critical data hub with access to customer records, operational metrics, and integration credentials.
In SaaS deployments, a successful exploit could lead to RCE within the vendor’s control plane, potentially compromising multi-tenant workflows, credentials, and connected systems.
### Exploit Vectors & Patch
Cyera Research Labs identified three distinct sandbox escape methods:
1. Python Class Hierarchy Traversal – Exploited `warnings.catch_warnings` to access full built-ins, enabling direct imports of the `os` module and command execution via `os.system()`.
2. Direct C Library Access – Leveraged `ctypes` to call `ctypes.CDLL(None).system()`, loading the `system()` function from libc via the Emscripten runtime.
3. Emscripten Runtime Manipulation – Used `emscripten_run_script_string()` to execute JavaScript in the host runtime, gaining access to `require('child_process')` and `process.env` for full host compromise.
Grist released version 1.7.9 on January 20, 2026, addressing the issue by migrating Pyodide formula execution under Deno by default. This introduces a permission-based mediation layer, blocking sensitive operations unless explicitly granted. Organizations must ensure the `GRIST_PYODIDE_SKIP_DENO` flag is disabled, as enabling it reintroduces the vulnerability.
The patch shifts Grist’s security model from a blocklist-based sandbox to a capability-based approach, significantly reducing the risk of formula-based exploitation.
INCIDENT DETAILS -
TYPE
IMPACT
DATA BREACH
REFERENCES
DECEMBER 2025
750
NOVEMBER 2025
750
OCTOBER 2025
750
SEPTEMBER 2025
750
AUGUST 2025
750
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Grist Labs ??
What was Grist Labs's A.I Rankiteo Cyber Score in June 2026 ??
What was Grist Labs's A.I Rankiteo Cyber Score in May 2026 ??
What was Grist Labs's A.I Rankiteo Cyber Score in April 2026 ??
What was Grist Labs's A.I Rankiteo Cyber Score in March 2026 ??
What was Grist Labs's A.I Rankiteo Cyber Score in February 2026 ??
What was Grist Labs's A.I Rankiteo Cyber Score in January 2026 ??
What was Grist Labs's A.I Rankiteo Cyber Score in December 2025 ??
What was Grist Labs's A.I Rankiteo Cyber Score in November 2025 ??
What was Grist Labs's A.I Rankiteo Cyber Score in October 2025 ??
What was Grist Labs's A.I Rankiteo Cyber Score in September 2025 ??
What was Grist Labs's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Grist Labs's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Grist Labs ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Grist Labs's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?