Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
Microsoft Excel File Parsing Flaw Allows Local Code Execution
CVE-2026-3665
Summary
A flaw in how xlnt parses Microsoft Excel files can be exploited by attackers on the same computer, potentially allowing them to run malicious code. This flaw affects the xlnt library until version 1.6.1. To protect your system, update xlnt to a fixed version or use a different library that is not affected by this issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| xlnt-community | xlnt | <= 1.6.1 | – |
Original title
A vulnerability was identified in xlnt-community xlnt up to 1.6.1. The affected element is the function xlnt::detail::xlsx_consumer::read_office_document of the file source/detail/serialization/xls...
Original description
A vulnerability was identified in xlnt-community xlnt up to 1.6.1. The affected element is the function xlnt::detail::xlsx_consumer::read_office_document of the file source/detail/serialization/xlsx_consumer.cpp of the component XLSX File Parser. The manipulation leads to null pointer dereference. The attack must be carried out locally. The exploit is publicly available and might be used.
nvd CVSS2.0
1.7
nvd CVSS3.1
3.3
nvd CVSS4.0
4.8
Vulnerability type
CWE-404
CWE-476
NULL Pointer Dereference
Published: 7 Mar 2026 · Updated: 13 Mar 2026 · First seen: 7 Mar 2026