Skip to main content

Excelize CVE-2026-54063

| EUVDEUVD-2026-42938 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-07-10 GitHub_M GHSA-h69g-9hx6-f3v4
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote, low-complexity, unauthenticated parsing of an attacker file with no user interaction; impact is availability-only (OOM/panic) with no confidentiality or integrity loss.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Patch available
Jul 10, 2026 - 18:01 EUVD
Analysis Generated
Jul 10, 2026 - 17:03 vuln.today
CVE Published
Jul 10, 2026 - 15:53 cve.org
HIGH 7.5

DescriptionCVE.org

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the checkSheet() function in github.com/xuri/excelize/v2 uses an attacker-controlled <row r="N"> XML attribute value directly as the length argument to make([]xlsxRow, row) without validating it against the Excel row limit (TotalRows = 1,048,576). A specially crafted XLSX file can trigger two denial-of-service variants: (A) an out-of-memory process kill when r=2147483647 forces a ~16 GB allocation attempt, and (B) a runtime panic via out-of-bounds slice indexing when r=-1. Any service that opens attacker-supplied XLSX files and calls GetCellValue is affected. No authentication is required. This issue is fixed in version 2.11.0.

AnalysisAI

Denial of service in the Excelize Go library (github.com/xuri/excelize/v2, a.k.a. qax-os/excelize) before 2.11.0 allows remote attackers to crash any service that opens attacker-supplied XLSX files and reads cell values. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft XLSX with malicious row r value
Delivery
Submit file to upload/parse endpoint
Exploit
Service calls GetCellValue via checkSheet()
Execution
Oversized or negative make() allocation
Persist
OOM kill or unrecovered panic
Impact
Service denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target service (1) uses Excelize prior to 2.11.0, (2) opens an XLSX file whose contents the attacker controls or can supply, and (3) invokes a parsing path that reaches checkSheet(), such as GetCellValue after OpenFile/OpenReader. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5, High) is well-supported by the description: network-reachable, low-complexity, no privileges or interaction, with availability-only impact and no confidentiality or integrity loss. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a crafted XLSX to a document-processing endpoint (or emails it to an automated attachment parser) whose worksheet XML contains <row r="2147483647">, and when the service calls GetCellValue the library attempts a ~16 GB allocation and the process is OOM-killed. Alternatively, an r="-1" value causes an out-of-bounds slice index and an unrecovered panic that crashes the worker. …
Remediation Primary fix: upgrade the Excelize dependency to version 2.11.0 or later - Vendor-released patch: v2.11.0 - for example run 'go get github.com/xuri/excelize/v2@v2.11.0' and rebuild, per the release at https://github.com/qax-os/excelize/releases/tag/v2.11.0 and advisory https://github.com/qax-os/excelize/security/advisories/GHSA-h69g-9hx6-f3v4. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all services using Excelize versions before 2.11.0; restrict XLSX file uploads to authenticated, trusted sources only; implement file validation to reject XLSX files with suspicious row attributes (r parameter values). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-54063 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy