CVE-2026-59162
Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell
CVSS
7.5
High
EPSS
0.5%
p41
KEV
—
Exploit Today
12
0-100
Published: Jul 10, 2026 · Last modified: Jul 16, 2026 · CWE-248 · CWE-755
0.5%EPSS · 30 days0.5%
2026-07-112026-07-16
Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell values with strconv.Atoi and checks only the upper bound before indexing the shared string slice, allowing an XLSX file containing a shared-string cell with -1 to trigger sharedStrings[-1] and panic when read through GetCellValue or GetRows. This issue is fixed in version 2.11.0.
- github.comhttps://github.com/qax-os/excelize/commit/93f0b3caed37f21ef5079e3259c6c21dcfe68453
- github.comhttps://github.com/qax-os/excelize/pull/2331
- github.comhttps://github.com/qax-os/excelize/releases/tag/v2.11.0
- github.comhttps://github.com/qax-os/excelize/security/advisories/GHSA-fx5j-qcqg-grpf
- github.comhttps://github.com/qax-os/excelize/security/advisories/GHSA-fx5j-qcqg-grpf
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2024-219077.5 HIG98.2%
——29Newtonsoft.Json before version 13.0.1 is affected by a mishandling of exceptional conditions vulnerability. Crafted data that is passed to the JsonConvert.DeserializeObject method may trigger a StackOverflow exception resulting in denial of service. Depending on the usage of the library, an unauthenticated and remote attacker may be able to cause the denial of service condition.2dCVE-2025-594657.5 HIG88.7%
——27A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
```
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```2dCVE-2026-236667.5 HIG67.8%
——20Improper input validation in .NET Framework allows an unauthorized attacker to deny service over a network.2dCVE-2026-503287.5 HIG64.8%
——19Uncaught exception in Windows Server Update Service allows an unauthorized attacker to perform tampering over a network.1dCVE-2022-279787.5 HIG60.0%
——18Tooljet v1.6 does not properly handle missing values in the API, allowing attackers to arbitrarily reset passwords via a crafted HTTP request.8dCVE-2026-22297.5 HIG54.9%
——16ImpactThe undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.
The vulnerability exists because:
* The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
* The createInflateRaw() call is not wrapped in a try-catch block
* The resulting exception propagates up through the call stack and crashes the Node.js process2d