Denial of Service Vulnerability in Excelize Go Library
CVE-2026-54063

7.5HIGH

Key Information:

Vendor

Qax-os

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-54063?

A vulnerability exists in the Excelize library for Go, specifically within the checkSheet() function, where an attacker can exploit unvalidated XML row attributes. This flaw allows for the creation of specially crafted XLSX files that can lead to two potential denial-of-service conditions: an out-of-memory error resulting from excessive memory allocation and a runtime panic due to out-of-bounds access. This affects any application that processes untrusted XLSX files. The issue has been addressed in version 2.11.0, which provides the necessary validation of XML input.

Affected Version(s)

excelize < 2.11.0

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.