CVE-2026-2703
Off-by-One Vulnerability in xlnt Encrypted XLSX Parser
Publication date: 2026-02-19
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xlnt-community | xlnt | to 1.6.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-193 | A product calculates or uses an incorrect maximum or minimum value that is 1 more, or 1 less, than the correct value. |
| CWE-189 |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the xlnt-community xlnt library up to version 1.6.1, specifically in the function xlnt::detail::decode_base64 within the Encrypted XLSX File Parser component. It is caused by an off-by-one error that can be triggered through manipulation. The attack requires local access to the system.
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to an off-by-one error, which may cause a denial of service or other unexpected behavior. The impact is limited as it requires local access and does not affect confidentiality or integrity, but it can affect availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, it is advised to apply the patch identified as f2d7bf494e5c52706843cf7eb9892821bffb0734.
Since the attack requires local access, limiting local access to trusted users can also reduce risk.