Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
xlnt-community xlnt: Data Exposure in Local File Reading
CVE-2026-3664
Summary
A flaw in the xlnt-community xlnt library can allow an attacker with local access to read sensitive data from a file. This means that if an attacker can execute code on your system, they may be able to access information they shouldn't. To fix this, you should update to the latest version of xlnt, which includes a patch to resolve the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| xlnt-community | xlnt | <= 1.6.1 | – |
Original title
A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document....
Original description
A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 147. Applying a patch is advised to resolve this issue.
nvd CVSS2.0
1.7
nvd CVSS3.1
3.3
nvd CVSS4.0
4.8
Vulnerability type
CWE-119
Buffer Overflow
CWE-125
Out-of-bounds Read
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026