Threat Advisory

excelize Flaw Lets Attackers Read Arbitrary Files

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A vulnerability with CVE-2026-54063 with a CVSS score of 7.5 affecting github. versions < 2.11.0 was discovered in the excelize library, which allows attackers to read arbitrary files. The issue is caused by a lack of bounds checking in the checkSheet function, which can be exploited by providing a malicious XLSX file with an attacker-controlled <row> attribute. This can lead to out-of-bounds memory access and crashes or errors. The vulnerability affects versions prior to f4a068b and has been confirmed exploitable. A proof-of-concept (PoC) exploit is available, which demonstrates the issue by creating two malicious XLSX files and running them through a Docker image. The PoC exploit uses the excelize library's GetCellValue function to access arbitrary cells in the XLSX file, leading to crashes or errors when accessing out-of-bounds rows. This vulnerability has been confirmed exploitable and should be addressed promptly by updating to a fixed version of the excelize library.

RECOMMENDATION:

We recommend you to update excelize to version 2.11.0.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

A vulnerability with CVE-2026-54063 with a CVSS score of 7.5 affecting github. versions < 2.11.0 was discovered in the excelize library, which allows attackers to read arbitrary files. The issue is caused by a lack of bounds checking in the checkSheet function, which can be exploited by providing a malicious XLSX file with an attacker-controlled <row> attribute. This can lead to out-of-bounds memory access and crashes or errors. The vulnerability affects versions prior to f4a068b and has been confirmed exploitable. A proof-of-concept (PoC) exploit is available, which demonstrates the issue by creating two malicious XLSX files and running them through a Docker image. The PoC exploit uses the excelize library's GetCellValue function to access arbitrary cells in the XLSX file, leading to crashes or errors when accessing out-of-bounds rows. This vulnerability has been confirmed exploitable and should be addressed promptly by updating to a fixed version of the excelize library.

RECOMMENDATION:

We recommend you to update excelize to version 2.11.0.[emaillocker id="1283"]

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu