{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3463", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-03T06:03:44.804Z", "datePublished": "2026-03-03T12:02:10.570Z", "dateUpdated": "2026-03-03T14:48:28.075Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-03T12:02:10.570Z"}, "title": "xlnt-community xlnt Compound Document binary.hpp append heap-based overflow", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-122", "lang": "en", "description": "Heap-based Buffer Overflow"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "xlnt-community", "product": "xlnt", "versions": [{"version": "1.6.0", "status": "affected"}, {"version": "1.6.1", "status": "affected"}], "modules": ["Compound Document Parser"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::binary_writer::append of the file source/detail/binary.hpp of the component Compound Document Parser. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. Patch name: 147. It is suggested to install a patch to address this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-03T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-03T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-03T07:09:14.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Oneafter (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.348530", "name": "VDB-348530 | xlnt-community xlnt Compound Document binary.hpp append heap-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.348530", "name": "VDB-348530 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.764643", "name": "Submit #764643 | xlnt-community xlnt commit bceb706 and before Heap-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xlnt-community/xlnt/issues/138", "tags": ["issue-tracking"]}, {"url": "https://github.com/xlnt-community/xlnt/issues/138#issuecomment-3868381672", "tags": ["issue-tracking"]}, {"url": "https://github.com/oneafter/0128/blob/main/xl2/repro", "tags": ["exploit"]}, {"url": "https://github.com/xlnt-community/xlnt/pull/147", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/xlnt-community/xlnt/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T14:47:46.086978Z", "id": "CVE-2026-3463", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T14:48:28.075Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3463", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T14:47:46.086978Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T14:48:08.016Z"}}], "cna": {"title": "xlnt-community xlnt Compound Document binary.hpp append heap-based overflow", "credits": [{"lang": "en", "type": "reporter", "value": "Oneafter (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "xlnt-community", "modules": ["Compound Document Parser"], "product": "xlnt", "versions": [{"status": "affected", "version": "1.6.0"}, {"status": "affected", "version": "1.6.1"}]}], "timeline": [{"lang": "en", "time": "2026-03-03T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-03T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-03T07:09:14.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.348530", "name": "VDB-348530 | xlnt-community xlnt Compound Document binary.hpp append heap-based overflow", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.348530", "name": "VDB-348530 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.764643", "name": "Submit #764643 | xlnt-community xlnt commit bceb706 and before Heap-based Buffer Overflow", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xlnt-community/xlnt/issues/138", "tags": ["issue-tracking"]}, {"url": "https://github.com/xlnt-community/xlnt/issues/138#issuecomment-3868381672", "tags": ["issue-tracking"]}, {"url": "https://github.com/oneafter/0128/blob/main/xl2/repro", "tags": ["exploit"]}, {"url": "https://github.com/xlnt-community/xlnt/pull/147", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/xlnt-community/xlnt/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::binary_writer::append of the file source/detail/binary.hpp of the component Compound Document Parser. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. Patch name: 147. It is suggested to install a patch to address this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "Heap-based Buffer Overflow"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-03T12:02:10.570Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3463", "state": "PUBLISHED", "dateUpdated": "2026-03-03T14:48:28.075Z", "dateReserved": "2026-03-03T06:03:44.804Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-03T12:02:10.570Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xlnt-community:xlnt:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B381094-639E-4E21-8CB0-60C480F02400", "versionEndIncluding": "1.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::binary_writer::append of the file source/detail/binary.hpp of the component Compound Document Parser. This manipulation causes heap-based buffer overflow. The attack can only be executed locally. The exploit has been made available to the public and could be used for attacks. Patch name: 147. It is suggested to install a patch to address this issue."}, {"lang": "es", "value": "Se ha identificado una debilidad en xlnt-community xlnt hasta 1.6.1. La funci\u00f3n xlnt::detail::binary_writer::append del archivo source/detail/binary.hpp del componente Analizador de Documentos Compuestos se ve afectada. Esta manipulaci\u00f3n causa desbordamiento de b\u00fafer basado en mont\u00edculo. El ataque solo puede ejecutarse localmente. El exploit se ha puesto a disposici\u00f3n del p\u00fablico y podr\u00eda usarse para ataques. Nombre del parche: 147. Se sugiere instalar un parche para abordar este problema."}], "id": "CVE-2026-3463", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-03T12:16:06.880", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit"], "url": "https://github.com/oneafter/0128/blob/main/xl2/repro"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/xlnt-community/xlnt/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/xlnt-community/xlnt/issues/138"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking"], "url": "https://github.com/xlnt-community/xlnt/issues/138#issuecomment-3868381672"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking"], "url": "https://github.com/xlnt-community/xlnt/pull/147"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.348530"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.348530"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.764643"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-122"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.6.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.6.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "xlnt", "source": "cna", "vendor": "xlnt-community"}, "product": "xlnt", "vendor": "xlnt-community"}], "analysis": {"en": {"generated_at": "2026-04-18T10:05:37.414026+00:00", "value": {"mitigation_remediation": ["Apply the patch released in PR\u00a0#147, which corrects the bounds check in xlnt::detail::binary_writer::append.", "Update the xlnt library to the latest release that incorporates this correction.", "Until a newer release is available, restrict handling of compound document files to trusted sources or disable the feature within the application."], "summary": {"action": "Apply Patch", "impact": "Heap-based Buffer Overflow"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all versions of the xlnt library up to and including 1.6.1 distributed by xlnt\u2011community. Any application that incorporates these versions and processes compound document files is susceptible. No other products or library versions are documented as vulnerable.", "description_and_impact": "The xlnt-community library contains a heap\u2011based buffer overflow in the binary_writer::append function, part of its Compound Document Parser. When processing a specially crafted compound document file, the function writes beyond the bounds of a heap buffer, potentially corrupting adjacent memory and causing application crashes or other memory corruption. The flaw requires local execution, meaning that an attacker must be able to run code in the same context that loads the document. While the CVE description does not explicitly state arbitrary code execution, the availability of a publicly released exploit suggests that attackers could potentially use the overflow to perform local attacks. The weakness maps to CWEs\u00a0119 and\u00a0122.", "risk_and_exploitability": "The CVSS score of 4.8 indicates moderate risk, and the EPSS score of less than 1% shows a low likelihood of exploitation in practice. The flaw requires local execution; an attacker must have code running in the same context that loads a compound document, or the user must be coerced into opening a malicious file. Although no widely confirmed exploitation has been reported, publicly available proof\u2011of\u2011concept code exists, underscoring the importance of applying the fix promptly."}}}}, "created": "2026-03-04T14:54:24.187979+00:00", "updated": "2026-04-18T10:15:25.869781+00:00", "vendors": ["xlnt-community", "xlnt-community$PRODUCT$xlnt"]}