Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
Xlnt XLSX Parser Allows Data Theft with Local Access
CVE-2026-3663
Summary
A bug in the xlnt XLSX file parser can allow an attacker with local access to read sensitive data. This affects systems using xlnt up to version 1.6.1. To fix this issue, apply the recommended patch (147) to the vulnerable software.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| xlnt-community | xlnt | <= 1.6.1 | – |
Original title
A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_docu...
Original description
A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_document.cpp of the component XLSX File Parser. Performing a manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been made public and could be used. The patch is named 147. It is recommended to apply a patch to fix this issue.
nvd CVSS2.0
1.7
nvd CVSS3.1
3.3
nvd CVSS4.0
4.8
Vulnerability type
CWE-119
Buffer Overflow
CWE-125
Out-of-bounds Read
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026