Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-54063

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, the checkSheet() function in github.com/xuri/excelize/v2 uses an attacker-controlled <row r="N"> XML attribute value directly as the length argument to make([]xlsxRow, row) without validating it against the Excel row limit (TotalRows = 1,048,576). A specially crafted XLSX file can trigger two denial-of-service variants: (A) an out-of-memory process kill when r=2147483647 forces a ~16 GB allocation attempt, and (B) a runtime panic via out-of-bounds slice indexing when r=-1. Any service that opens attacker-supplied XLSX files and calls GetCellValue is affected. No authentication is required. This issue is fixed in version 2.11.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 43.6%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-54063


Contact Us

Shodan ® - All rights reserved