CVE-2026-2703
- Source
- https://cve.org/CVERecord?id=CVE-2026-2703
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2703.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-2703
- Published
- 2026-02-19T07:17:49.477Z
- Modified
- 2026-02-21T00:35:57.388554Z
- Severity
-
- 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- [none]
- Details
-
A weakness has been identified in xlnt-community xlnt up to 1.6.1. Impacted is the function xlnt::detail::decode_base64 of the file source/detail/cryptography/base64.cpp of the component Encrypted XLSX File Parser. Executing a manipulation can lead to off-by-one. The attack requires local access. The exploit has been made available to the public and could be used for attacks. This patch is called f2d7bf494e5c52706843cf7eb9892821bffb0734. Applying a patch is advised to resolve this issue.
- References
-
- https://github.com/oneafter/0128/blob/main/xl1/repro
- https://github.com/xlnt-community/xlnt/
- https://vuldb.com/?ctiid.346649
- https://vuldb.com/?id.346649
- https://vuldb.com/?submit.754377
- https://github.com/xlnt-community/xlnt/issues/137
- https://github.com/xlnt-community/xlnt/commit/f2d7bf494e5c52706843cf7eb9892821bffb0734
Affected packages
Git / github.com/xlnt-community/xlnt
Affected ranges
- Type
- GIT
- Repo
- https://github.com/xlnt-community/xlnt
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v0.*
v0.9.0
v0.9.1
v0.9.2
v1.*
v1.0.0
v1.1.0
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.6.1
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-2703.json"
vanir_signatures
[
{
"digest": {
"line_hashes": [
"294004409167803484655518375459720785833",
"313182549887546401374845835312687812045",
"197694486794752061003407397536609331338",
"163469820562559622196221778517281111627",
"36376994209861132912143590274346680481",
"138679251401729705227171864261448809125"
],
"threshold": 0.9
},
"id": "CVE-2026-2703-528e668f",
"source": "https://github.com/xlnt-community/xlnt/commit/f2d7bf494e5c52706843cf7eb9892821bffb0734",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "source/detail/cryptography/base64.hpp"
},
"signature_type": "Line"
},
{
"digest": {
"length": 1866.0,
"function_hash": "179078999246712399799297840132986866496"
},
"id": "CVE-2026-2703-a38bec37",
"source": "https://github.com/xlnt-community/xlnt/commit/f2d7bf494e5c52706843cf7eb9892821bffb0734",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "source/detail/cryptography/base64.cpp",
"function": "decode_base64"
},
"signature_type": "Function"
},
{
"digest": {
"line_hashes": [
"9273301092784325900993085219243301676",
"266763168467957403350286018969559530578",
"225576704630723207781376261651428203497",
"170112818145254095508107194102109233977",
"159868310532218374090009129343719445577",
"264839308703357296641876567466675944712",
"151115812028466079329918454402709628369",
"154080546146703865969438363449523925441",
"297444467167055263089179413279243148032",
"296484806932856556260743982063427639474",
"293305128102122074427073065470901379424",
"187898350134461082785689390476853690245",
"47206974268772451270529500203223173690",
"258785949242237478525591266031771800070",
"146047813372830457530053073466772793000",
"244791488814487776790681145975645187857",
"321214378615948894194736783885961284069",
"121095137403607973959516212457596066596",
"209008564477809655580110007359204588069",
"57862371749751065298334194011945452635",
"284598283540837101875965790544749847542",
"129890764106088091252897207498430754818",
"304951345865246873887660504685687200786",
"20021767116230078231964686018052447929"
],
"threshold": 0.9
},
"id": "CVE-2026-2703-b117b1c0",
"source": "https://github.com/xlnt-community/xlnt/commit/f2d7bf494e5c52706843cf7eb9892821bffb0734",
"deprecated": false,
"signature_version": "v1",
"target": {
"file": "source/detail/cryptography/base64.cpp"
},
"signature_type": "Line"
}
]