Skip to main content

Excelize CVE-2026-59161

| EUVDEUVD-2026-42936 HIGH
Uncontrolled Resource Consumption (CWE-400)
2026-07-10 GitHub_M
8.7
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.5 HIGH

Attacker controls only an untrusted input file (AV:N, PR:N, UI:N, AC:L) and impact is a pure resource-exhaustion DoS, so C:N/I:N with A:H and unchanged scope.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jul 10, 2026 - 18:01 EUVD
Analysis Generated
Jul 10, 2026 - 16:52 vuln.today
CVE Published
Jul 10, 2026 - 15:47 cve.org
HIGH 8.7

DescriptionCVE.org

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the streaming worksheet reader used by Rows and GetRows does not enforce the TotalRows limit on the row r attribute, allowing a small XLSX file with a row number above 1048576 and no cell coordinate to make GetRows append empty rows up to the attacker-controlled index and consume excessive memory and CPU. This issue is fixed in version 2.11.0.

AnalysisAI

Uncontrolled memory and CPU consumption in Excelize (qax-os/excelize), the widely used Go library for reading and writing Microsoft Excel spreadsheets, before version 2.11.0 lets a crafted XLSX file trigger a denial of service. The streaming worksheet reader behind the Rows and GetRows APIs fails to enforce the TotalRows (1,048,576) limit on the row 'r' attribute, so a tiny file declaring an out-of-range row index with no cell coordinate forces GetRows to allocate empty rows up to that attacker-chosen index. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft XLSX with oversized row r attribute
Delivery
Submit file to Excelize-backed service
Exploit
GetRows appends empty rows to attacker index
Execution
Memory and CPU exhausted
Impact
Service denial of service

Vulnerability AssessmentAI

Exploitation Exploitation requires that a target application built on Excelize prior to 2.11.0 parse an attacker-supplied XLSX file through the streaming Rows or GetRows readers. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment This is a genuine but bounded risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker uploads a small, well-formed XLSX file to a service that uses a pre-2.11.0 Excelize to extract sheet contents via GetRows. The file contains a single row element with r set far above 1,048,576 and no cell coordinates, causing the parser to allocate empty rows up to that index and spike memory and CPU until the worker or host is exhausted. …
Remediation Vendor-released patch: 2.11.0 - upgrade the dependency to v2.11.0 or later and rebuild/redeploy as the primary and complete fix; the corrective change is in PR https://github.com/qax-os/excelize/pull/2331 and commit 93f0b3caed37f21ef5079e3259c6c21dcfe68453, with details in advisory https://github.com/qax-os/excelize/security/advisories/GHSA-q5j5-6p94-4gwc. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all applications and services using Excelize library (particularly those accepting user-uploaded files) via dependency scanning. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-59161 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy