Grist, a widely used spreadsheet software, recently addressed a critical vulnerability, identified as Cellbreak (CVE-2026-24002), which allows for Remote Code Execution (RCE) attacks through malicious formulas. Cellbreak vulnerability was found by Cyera Research Labs. It has a CVSS score of 9.1, indicating its severity and potential exploitation risk to users.
Cellbreak is considered a Pyodide sandbox escape. This critical vulnerability allows threat actors to leverage the software’s calculation functionalities and run malicious code. Grant version 4.5.0, released April 27, 2026, fixed that vulnerability. By default, it now runs Pyodide formulas on the Deno JavaScript runtime.
Details of the Cellbreak Vulnerability
This Cellbreak vulnerability allows malicious actors to run arbitrary commands on the host system. This all but renders any security protections moot. Vladimir Tokarev, Cyera Research Labs, highlighted the seriousness of this problem, telling us that,
“One malicious formula can turn a spreadsheet into a Remote Code Execution (RCE) beachhead.”
This remark strongly highlights the idea that you can break an entire system with just one exploit. The vulnerability is due to the design of the Pyodide sandbox. This gives it a little extra magic, letting it traverse Python’s class hierarchy and always provide access to Emscripten runtime functions that should be otherwise inaccessible from formula cells.
“The sandbox’s design allows traversal through Python’s class hierarchy and leaves ctypes available, which together open access to Emscripten runtime functions that should never be reachable from a formula cell,” Tokarev explained.
Mitigation Measures Implemented by Grist
After hearing about find Cellbreak Grist added an important feature to protect their users. The bottom line The newest iteration confronts the flaw in a few key ways. It further establishes a baseline security practice within formula’s execution environment. By using Deno as the JavaScript runtime, Grist hopes to make it much more difficult for would-be exploiters to do so.
Users must remain vigilant. If the environment variable GRIST_PYODIDE_SKIP_DENO is set to “1,” the risk from Cellbreak can return. Therefore, Grist project maintainers emphasize the importance of checking the sandboxing section in the Admin Panel to determine whether an instance is affected.
“You can check if you are affected in the sandboxing section of the Admin Panel of your instance. If you see ‘gvisor’ there, then you are not affected. If you see ‘pyodide,’ then it is important to update to this version of Grist or later,” they advised.
Similarities to Other Vulnerabilities
Cellbreak presents serious dangers that should sound alarms similar to those roused over previous vulnerabilities on automation platforms. One such vulnerability, named CVE-2025-68668 (N8scape), has a CVSS score of 9.9, which is very concerning. Tokarev noted,
“This mirrors the systemic risk found in other automation platforms: a single execution surface with privileged access can collapse organizational trust boundaries when its sandbox fails.”
This points towards a key underlying focus in the software security arena. Vulnerabilities can pose a risk not just to individual apps, but to the entire organization’s infrastructure.