Input Validation Error in Excelize Library Affects Spreadsheet Functionality
CVE-2026-59162
6.9MEDIUM
What is CVE-2026-59162?
The Excelize library, a Go language tool for manipulating Microsoft Excel spreadsheets, is compromised due to an input validation error. The issue arises from parsing shared-string cell values using strconv.Atoi, which fails to properly check the bounds of the index when accessing shared string slices. This vulnerability can be exploited by crafting an XLSX file that includes a shared string cell with a value of -1. Consequently, attempts to read this data through functions like GetCellValue or GetRows may lead to a panic, resulting in application crashes. The issue has been rectified in version 2.11.0, which is advised for users to upgrade to in order to avoid potential disruptions.
Affected Version(s)
excelize < 2.11.0
