CVE-2026-3664 - Vulnerability Details

- xlnt-community xlnt Encrypted XLSX File compound_document.cpp read_directory out-of-bounds

Description

A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 147. Applying a patch is advised to resolve this issue.

Published: 2026-03-07

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The defect resides in xlnt-community’s xlnt library, specifically in the Encrypted XLSX File Parser’s read_directory routine in compound_document.cpp. An attacker who can craft malicious input files can trigger a read that goes beyond the intended buffer boundaries. The result is not code execution or privilege escalation; instead it can expose data that resides in memory adjacent to the buffer. The flaw is a classic out‑of‑bounds read identified by CWE‑119 and CWE‑125.

Affected Systems

All releases of xlnt up to and including version 1.6.1 are vulnerable. The issue is confined to the cryptography component that processes encrypted XLSX files. No later versions were mentioned, and the vulnerability is not present in releases newer than 1.6.1.

Risk and Exploitability

The CVSS score is 4.8, indicating moderate severity. EPSS is less than 1 %, suggesting a low probability of exploitation at the current time. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires local execution, and the vulnerability has been publicly disclosed. Consequently, only users with local access to an application that uses xlnt are at risk.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

xlnt-community

xlnt

affected

Version	Status	Constraints
`1.6.0`	affected	—
`1.6.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:xlnt-community:xlnt:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Xlnt-community

Xlnt

100%

Version	Status	Scheme	Platform
`1.6.0`	affected	semver	—
`1.6.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the patch introduced in pull request 147, which corrects the out‑of‑bounds read in compound_document.cpp.
Upgrade the xlnt library to version 1.6.2 or later, where the issue has been resolved.
If an immediate upgrade is infeasible, tighten local access controls for software that loads xlnt, ensuring only the least privilege users can supply or open encrypted XLSX files.

Generated by OpenCVE AI on April 16, 2026 at 10:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/oneafter/0128/blob/main/xl5/repro
https://github.com/xlnt-community/xlnt/
https://github.com/xlnt-community/xlnt/issues/141
https://github.com/xlnt-community/xlnt/pull/147
https://vuldb.com/?ctiid.349553
https://vuldb.com/?id.349553
https://vuldb.com/?submit.764646

History

Wed, 11 Mar 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 10 Mar 2026 20:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:xlnt-community:xlnt::::::::

Mon, 09 Mar 2026 10:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Xlnt-community Xlnt-community xlnt
Vendors & Products		Xlnt-community Xlnt-community xlnt

Sat, 07 Mar 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 147. Applying a patch is advised to resolve this issue.
Title		xlnt-community xlnt Encrypted XLSX File compound_document.cpp read_directory out-of-bounds
Weaknesses		CWE-119 CWE-125
References		https://github.com/oneafter/0128/blob/main/xl5/repro https://github.com/xlnt-community/xlnt/ https://github.com/xlnt-community/xlnt/issues/141 https://github.com/xlnt-community/xlnt/pull/147 https://vuldb.com/?ctiid.349553 https://vuldb.com/?id.349553 https://vuldb.com/?submit.764646
Metrics		cvssV2_0 `{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Xlnt-community Xlnt

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-07T14:32:12.856Z

Updated: 2026-03-11T16:29:17.998Z

Reserved: 2026-03-06T20:34:45.441Z

Link: CVE-2026-3664

Vulnrichment

Updated: 2026-03-11T16:14:51.612Z

NVD

Status : Analyzed

Published: 2026-03-07T15:15:56.240

Modified: 2026-03-10T20:30:16.937

Link: CVE-2026-3664

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-16T11:00:10Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Access Vector Local

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact None

Availability Impact Partial

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object