关键信息 漏洞标题: pyodide sandbox option is insecure CVE ID: CVE-2026-24002 严重程度: Critical (9.1/10) 受影响的版本: - , affected versions: < 1.7.9 - Patched versions: 1.7.9 漏洞描述: Grist is spreadsheet software using Python as its formula language. Grist offers several methods for running those formulas in a sandbox, for cases where the user may be working with untrusted spreadsheets. One such method runs them in pyodide, but pyodide on node does not have a useful sandbox barrier. 影响: If a user of Grist sets to and opens a malicious document, that document could run arbitrary processes on the server hosting Grist. 修复: The problem has been addressed in Grist version 1.7.9 and up, by running pyodide under deno. 变通方案: A user can use the gvisor-based sandbox by setting to as documented at https://support.getgrist.com/self-managed/#how-do-i-sandbox-documents CVSS v3 base metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Confidentiality: High - Integrity: High - Availability: High 报告者: @VladimirEliTokarev