Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
xlnt Community: Local Data Corruption Risk from Unpatched Version
CVE-2026-3463
Summary
A security weakness in xlnt Community's Compound Document Parser could allow a local attacker to corrupt data on the affected system. This issue is specific to unpatched versions of xlnt Community up to 1.6.1. To protect your system, apply the available patch to update your xlnt Community software.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| xlnt-community | xlnt | <= 1.6.1 | – |
Original title
A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::binary_writer::append of the file source/detail/binary.hpp of the component Compound Docume...
Original description
A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::binary_writer::append of the file source/detail/binary.hpp of the component Compound Document Parser. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. Patch name: 147. It is suggested to install a patch to address this issue.
nvd CVSS2.0
1.7
nvd CVSS3.1
3.3
nvd CVSS4.0
4.8
Vulnerability type
CWE-119
Buffer Overflow
CWE-122
Heap-based Buffer Overflow
- https://github.com/oneafter/0128/blob/main/xl2/repro
- https://github.com/xlnt-community/xlnt/
- https://github.com/xlnt-community/xlnt/issues/138
- https://github.com/xlnt-community/xlnt/issues/138#issuecomment-3868381672
- https://github.com/xlnt-community/xlnt/pull/147
- https://vuldb.com/?ctiid.348530
- https://vuldb.com/?id.348530
- https://vuldb.com/?submit.764643
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026