Input Validation Error in Excelize Library Affects Spreadsheet Functionality
CVE-2026-59162

6.9MEDIUM

Key Information:

Vendor

Qax-os

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-59162?

The Excelize library, a Go language tool for manipulating Microsoft Excel spreadsheets, is compromised due to an input validation error. The issue arises from parsing shared-string cell values using strconv.Atoi, which fails to properly check the bounds of the index when accessing shared string slices. This vulnerability can be exploited by crafting an XLSX file that includes a shared string cell with a value of -1. Consequently, attempts to read this data through functions like GetCellValue or GetRows may lead to a panic, resulting in application crashes. The issue has been rectified in version 2.11.0, which is advised for users to upgrade to in order to avoid potential disruptions.

Affected Version(s)

excelize < 2.11.0

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.