CVE-2026-59162
Undergoing Analysis Undergoing Analysis - In Progress

Excelize Go Library Shared-String Index Out of Bounds

Vulnerability report for CVE-2026-59162, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: GitHub, Inc.

Description

Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell values with strconv.Atoi and checks only the upper bound before indexing the shared string slice, allowing an XLSX file containing a shared-string cell with -1 to trigger sharedStrings[-1] and panic when read through GetCellValue or GetRows. This issue is fixed in version 2.11.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
qax-os excelize to 2.11.0 (exc)
qax-os excelize 2.11.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
CWE-755 The product does not handle or incorrectly handles an exceptional condition.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Mitigation Strategies

The primary mitigation step is to upgrade the Excelize library to version 2.11.0 or later, where the vulnerability is fixed by proper validation of shared string table indices.

Until the upgrade is applied, avoid processing untrusted or malicious XLSX files that may contain invalid shared-string indices to prevent application panics or denial of service.

Implement panic recovery in your application code when using Excelize to handle unexpected crashes gracefully.

Compliance Impact

The CVE-2026-59162 vulnerability causes a denial of service through application panics when processing malicious XLSX files with invalid shared string indices. This can lead to unexpected crashes and potential resource exhaustion in applications using the Excelize library.

However, there is no information provided in the available resources or CVE description that directly links this vulnerability to impacts on compliance with common standards or regulations such as GDPR or HIPAA.

Therefore, based on the provided data, it is not possible to determine how this vulnerability affects compliance with these regulations.

Executive Summary

CVE-2026-59162 is a vulnerability in the Excelize Go library used for reading and writing Microsoft Excel spreadsheets. The issue arises when the library parses shared-string cell values in XLSX files. Specifically, if a malicious XLSX file contains a shared-string cell with a negative index (such as -1), the library uses strconv.Atoi to parse this index but only checks if the index is less than the length of the shared string table, without verifying that it is non-negative.

Because a negative index passes the upper-bound check, the library attempts to access sharedStrings[-1], which causes a runtime panic. This panic can crash applications that use the library to read untrusted spreadsheet files if they do not have proper panic recovery mechanisms.

The root cause is the lack of a lower-bound check on the shared string index before accessing the shared string slice. This vulnerability was fixed in Excelize version 2.11.0 by adding proper validation to ensure indices are non-negative and within bounds.

Impact Analysis

This vulnerability can lead to a denial of service (DoS) condition in applications that use the Excelize library to parse XLSX files. If an attacker crafts a malicious spreadsheet containing a shared-string cell with a negative index, it can cause the application to panic and crash unexpectedly.

Such crashes can disrupt normal operations, potentially causing service interruptions or application instability, especially if the application processes untrusted or user-supplied Excel files without adequate error handling or panic recovery.

Detection Guidance

The vulnerability occurs when the Excelize library processes XLSX files containing shared-string cells with negative indices, such as <v>-1</v>, causing a panic. Detection involves identifying if your system or application uses Excelize versions 2.10.1 or earlier to parse XLSX files.

To detect exploitation attempts or presence of this vulnerability, you can monitor application logs for runtime panics or crashes related to Excelize when reading Excel files.

There are no specific commands provided in the resources to detect this vulnerability directly on your network or system.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59162. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart