{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3664", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2026-03-06T20:34:45.441Z", "datePublished": "2026-03-07T14:32:12.856Z", "dateUpdated": "2026-03-11T16:29:17.998Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-07T14:32:12.856Z"}, "title": "xlnt-community xlnt Encrypted XLSX File compound_document.cpp read_directory out-of-bounds", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-125", "lang": "en", "description": "Out-of-Bounds Read"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-119", "lang": "en", "description": "Memory Corruption"}]}], "affected": [{"vendor": "xlnt-community", "product": "xlnt", "versions": [{"version": "1.6.0", "status": "affected"}, {"version": "1.6.1", "status": "affected"}], "modules": ["Encrypted XLSX File Parser"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 147. Applying a patch is advised to resolve this issue."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C", "baseSeverity": "LOW"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2026-03-06T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2026-03-06T01:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2026-03-06T21:39:54.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "Oneafter (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.349553", "name": "VDB-349553 | xlnt-community xlnt Encrypted XLSX File compound_document.cpp read_directory out-of-bounds", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.349553", "name": "VDB-349553 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.764646", "name": "Submit #764646 | xlnt-community xlnt commit bceb706 and before Memory Corruption", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xlnt-community/xlnt/issues/141", "tags": ["issue-tracking"]}, {"url": "https://github.com/oneafter/0128/blob/main/xl5/repro", "tags": ["exploit"]}, {"url": "https://github.com/xlnt-community/xlnt/pull/147", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/xlnt-community/xlnt/", "tags": ["product"]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T16:14:47.381463Z", "id": "CVE-2026-3664", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T16:29:17.998Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3664", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T16:14:47.381463Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T16:14:51.612Z"}}], "cna": {"title": "xlnt-community xlnt Encrypted XLSX File compound_document.cpp read_directory out-of-bounds", "credits": [{"lang": "en", "type": "reporter", "value": "Oneafter (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 4.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 3.3, "baseSeverity": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 1.7, "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "xlnt-community", "modules": ["Encrypted XLSX File Parser"], "product": "xlnt", "versions": [{"status": "affected", "version": "1.6.0"}, {"status": "affected", "version": "1.6.1"}]}], "timeline": [{"lang": "en", "time": "2026-03-06T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2026-03-06T01:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2026-03-06T21:39:54.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.349553", "name": "VDB-349553 | xlnt-community xlnt Encrypted XLSX File compound_document.cpp read_directory out-of-bounds", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.349553", "name": "VDB-349553 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.764646", "name": "Submit #764646 | xlnt-community xlnt commit bceb706 and before Memory Corruption", "tags": ["third-party-advisory"]}, {"url": "https://github.com/xlnt-community/xlnt/issues/141", "tags": ["issue-tracking"]}, {"url": "https://github.com/oneafter/0128/blob/main/xl5/repro", "tags": ["exploit"]}, {"url": "https://github.com/xlnt-community/xlnt/pull/147", "tags": ["issue-tracking", "patch"]}, {"url": "https://github.com/xlnt-community/xlnt/", "tags": ["product"]}], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 147. Applying a patch is advised to resolve this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-125", "description": "Out-of-Bounds Read"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-119", "description": "Memory Corruption"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2026-03-07T14:32:12.856Z"}}}, "cveMetadata": {"cveId": "CVE-2026-3664", "state": "PUBLISHED", "dateUpdated": "2026-03-11T16:29:17.998Z", "dateReserved": "2026-03-06T20:34:45.441Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2026-03-07T14:32:12.856Z", "assignerShortName": "VulDB"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:xlnt-community:xlnt:*:*:*:*:*:*:*:*", "matchCriteriaId": "9B381094-639E-4E21-8CB0-60C480F02400", "versionEndIncluding": "1.6.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::compound_document::read_directory of the file source/detail/cryptography/compound_document.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to out-of-bounds read. The attack is restricted to local execution. The exploit has been publicly disclosed and may be utilized. This patch is called 147. Applying a patch is advised to resolve this issue."}, {"lang": "es", "value": "Se determin\u00f3 una vulnerabilidad en xlnt-community xlnt hasta 1.6.1. La funci\u00f3n xlnt::detail::compound_document::read_directory del archivo source/detail/cryptography/compound_document.cpp del componente Encrypted XLSX File Parser se ve afectada. La ejecuci\u00f3n de una manipulaci\u00f3n puede llevar a una lectura fuera de l\u00edmites. El ataque est\u00e1 restringido a la ejecuci\u00f3n local. El exploit ha sido divulgado p\u00fablicamente y puede ser utilizado. Este parche se llama 147. Se aconseja aplicar un parche para resolver este problema."}], "id": "CVE-2026-3664", "lastModified": "2026-04-29T01:00:01.613", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 1.7, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 3.1, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "cna@vuldb.com", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 3.3, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "cna@vuldb.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cna@vuldb.com", "type": "Secondary"}]}, "published": "2026-03-07T15:15:56.240", "references": [{"source": "cna@vuldb.com", "tags": ["Exploit"], "url": "https://github.com/oneafter/0128/blob/main/xl5/repro"}, {"source": "cna@vuldb.com", "tags": ["Product"], "url": "https://github.com/xlnt-community/xlnt/"}, {"source": "cna@vuldb.com", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "url": "https://github.com/xlnt-community/xlnt/issues/141"}, {"source": "cna@vuldb.com", "tags": ["Issue Tracking"], "url": "https://github.com/xlnt-community/xlnt/pull/147"}, {"source": "cna@vuldb.com", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.349553"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.349553"}, {"source": "cna@vuldb.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.764646"}], "sourceIdentifier": "cna@vuldb.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-125"}], "source": "cna@vuldb.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.6.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.6.1"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "xlnt", "source": "cna", "vendor": "xlnt-community"}, "product": "xlnt", "vendor": "xlnt-community"}], "analysis": {"en": {"generated_at": "2026-04-16T10:57:14.676682+00:00", "value": {"mitigation_remediation": ["Apply the patch introduced in pull request\u00a0147, which corrects the out\u2011of\u2011bounds read in compound_document.cpp.", "Upgrade the xlnt library to version\u00a01.6.2 or later, where the issue has been resolved.", "If an immediate upgrade is infeasible, tighten local access controls for software that loads xlnt, ensuring only the least privilege users can supply or open encrypted XLSX files."], "summary": {"action": "Apply patch", "impact": "Local out-of-bounds read"}, "threat_synthesis": {"affected_systems": "All releases of xlnt up to and including version 1.6.1 are vulnerable. The issue is confined to the cryptography component that processes encrypted XLSX files. No later versions were mentioned, and the vulnerability is not present in releases newer than 1.6.1.", "description_and_impact": "The defect resides in xlnt-community\u2019s xlnt library, specifically in the Encrypted XLSX File Parser\u2019s read_directory routine in compound_document.cpp. An attacker who can craft malicious input files can trigger a read that goes beyond the intended buffer boundaries. The result is not code execution or privilege escalation; instead it can expose data that resides in memory adjacent to the buffer. The flaw is a classic out\u2011of\u2011bounds read identified by CWE\u2011119 and CWE\u2011125.", "risk_and_exploitability": "The CVSS score is 4.8, indicating moderate severity. EPSS is less than 1\u202f%, suggesting a low probability of exploitation at the current time. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires local execution, and the vulnerability has been publicly disclosed. Consequently, only users with local access to an application that uses xlnt are at risk."}}}}, "created": "2026-03-09T10:05:25.511001+00:00", "updated": "2026-04-16T11:00:10.654332+00:00", "vendors": ["xlnt-community", "xlnt-community$PRODUCT$xlnt"]}