CVE-2026-2703 - Vulnerability Details

- xlnt-community xlnt Encrypted XLSX File base64.cpp decode_base64 off-by-one

Description

A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::decode_base64 of the file source/detail/cryptography/base64.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to off-by-one. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called f2d7bf494e5c52706843cf7eb9892821bffb0734. Applying a patch is advised to resolve this issue.

Published: 2026-02-19

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A vulnerability exists in the xlnt library’s base64 decoding routine used for encrypted XLSX files. The off‑by‑one error can corrupt memory when processing a malformed input, which may allow an attacker with local access to trigger crashes or potentially execute arbitrary code. The weakness is classified as an integer truncation (CWE‑189) and an off‑by‑one index error (CWE‑193).

Affected Systems

The issue affects xlnt-community’s xlnt library up to version 1.6.1. The patch addressing the defect is referenced by commit f2d7bf494e5c52706843cf7eb9892821bffb0734 and is available in subsequent releases. Systems that compile or link against versions prior to the patch are vulnerable.

Risk and Exploitability

The CVSS score of 4.8 reflects moderate severity, and the EPSS score of below 1% suggests a very low likelihood of exploitation. The defect is not listed in the CISA KEV catalog. Exploitation requires local access to the machine running the vulnerable library; an attacker would need to deliver a specially crafted XLSX file to a process that uses xlnt. Because the flaw can trigger memory corruption, a successful exploit could elevate privileges or run arbitrary code on the local host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xlnt-community

xlnt

affected

Version	Status	Constraints
`1.6.0`	affected	—
`1.6.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:xlnt-community:xlnt:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Xlnt-community

Xlnt

100%

Version	Status	Scheme	Platform
`1.6.0`	affected	semver	—
`1.6.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update xlnt to a version that includes commit f2d7bf494e5c52706843cf7eb9892821bffb0734 or later
If an update cannot be applied immediately, isolate the process that loads xlnt in a sandboxed or least‑privilege environment to limit the impact of a possible crash or code execution
Implement additional input validation or integrity checks on XLSX files before invoking xlnt’s decoding routine to mitigate malformed payloads

Generated by OpenCVE AI on April 17, 2026 at 18:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00012.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/oneafter/0128/blob/main/xl1/repro
https://github.com/xlnt-community/xlnt/
https://github.com/xlnt-community/xlnt/commit/f2d7bf494e5c52706843cf7eb9892821bffb0734
https://github.com/xlnt-community/xlnt/issues/137
https://vuldb.com/?ctiid.346649
https://vuldb.com/?id.346649
https://vuldb.com/?submit.754377

History

Tue, 10 Mar 2026 20:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:xlnt-community:xlnt::::::::

Tue, 24 Feb 2026 02:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Feb 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xlnt-community Xlnt-community xlnt
Vendors & Products		Xlnt-community Xlnt-community xlnt

Thu, 19 Feb 2026 04:15:00 +0000

Type	Values Removed	Values Added
Description		A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::decode_base64 of the file source/detail/cryptography/base64.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to off-by-one. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called f2d7bf494e5c52706843cf7eb9892821bffb0734. Applying a patch is advised to resolve this issue.
Title		xlnt-community xlnt Encrypted XLSX File base64.cpp decode_base64 off-by-one
Weaknesses		CWE-189 CWE-193
References		https://github.com/oneafter/0128/blob/main/xl1/repro https://github.com/xlnt-community/xlnt/ https://github.com/xlnt-community/xlnt/commit/f2d7bf494e5c52706843cf7eb9892821bffb0734 https://github.com/xlnt-community/xlnt/issues/137 https://vuldb.com/?ctiid.346649 https://vuldb.com/?id.346649 https://vuldb.com/?submit.754377
Metrics		cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Xlnt-community Xlnt

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-02-19T04:02:10.794Z

Updated: 2026-02-24T01:40:43.838Z

Reserved: 2026-02-18T17:59:02.756Z

Link: CVE-2026-2703

Vulnrichment

Updated: 2026-02-24T01:40:39.228Z

NVD

Status : Analyzed

Published: 2026-02-19T07:17:49.477

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-2703

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T18:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object