A critical vulnerability has been found in Grist-Core, an open-source spreadsheet-database platform, that could allow remote code execution (RCE). Identified as CVE-2026-24002 with a CVSS score of 9.1, this flaw, dubbed Cellbreak, was discovered by security researcher Vladimir Tokarev. It enables an attacker to execute OS commands or run JavaScript through malicious formulas embedded in spreadsheets, effectively breaching the isolation intended by Grist's sandboxing method. The issue stems from the use of Pyodide for executing Python formulas. Grist's implementation allows untrusted formulas to run in a web browser sandbox, but the design includes vulnerabilities that let attackers escape this sandbox. By traversing Python's class hierarchy and accessing restricted functions, attackers can execute commands on the host server, potentially exposing sensitive data like database credentials and API keys. Grist has released version 1.7.9 to fix this problem, moving away from Pyodide to Deno for formula execution by default. Users need to check their sandboxing settings in the Admin Panel. If they see 'pyodide', they must upgrade to the latest version to avoid risks. For those who can't update immediately, changing the GRIST_SANDBOX_FLAVOR to "gvisor" offers a temporary workaround. The situation highlights the broader risks associated with automation platforms, where a single failure in sandboxing can compromise security and trust within organizations. Tokarev emphasizes the need for more robust, capability-based sandboxing rather than relying on blocklists.