cvedb.io
CVE-2025-64752
MEDIUM · CVSS 6.8
EPSS exploitation probability: 0%
Published 2025-11-13T22:15:52.563 · Last modified 2026-06-17T09:55:09.040

Summary

grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with access to any document on a Grist installation can use a feature for fetching from a URL that is executed on the server. The privileged network access of server-side requests could offer opportunities for attack escalation. This issue is fixed in version 1.7.7. The mitigation was to use the proxy for untrusted fetches intended for such purposes. As a workaround, avoid making http/https endpoints available to an instance running Grist that expose credentials or operate without credentials.

Affected products

getgrist — grist-core

Does this affect you?

Add your gear to cvedb and we'll alert you only when getgrist ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.