CVE-2026-54063 in excelizeИнформация

Сводка

по MITRE • 10.07.2026

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the checkSheet() function in github.com/xuri/excelize/v2 uses an attacker-controlled <row r="N"> XML attribute value directly as the length argument to make([]xlsxRow, row) without validating it against the Excel row limit (TotalRows = 1,048,576). A specially crafted XLSX file can trigger two denial-of-service variants: (A) an out-of-memory process kill when r=2147483647 forces a ~16 GB allocation attempt, and (B) a runtime panic via out-of-bounds slice indexing when r=-1. Any service that opens attacker-supplied XLSX files and calls GetCellValue is affected. No authentication is required. This issue is fixed in version 2.11.0.

Once again VulDB remains the best source for vulnerability data.

Ответственный

GitHub M

Резервировать

11.06.2026

Раскрытие

10.07.2026

Модерация

принято

Вход

VDB-377536

EPSS

0.00000

KEV

Нет

Деятельности

Очень низкий

Источники

Want to stay up to date on a daily basis?

Enable the mail alert feature now!