A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compounddocumentistreambuf::xsgetn of the file source/detail/cryptography/compound_document.cpp of the component XLSX File Parser. Performing a manipulation results in out-of-bounds read. The attack is only possible with local access. The exploit has been made public and could be used. The patch is named 147. It is recommended to apply a patch to fix this issue.
{
"cna_assigner": "VulDB",
"cwe_ids": [
"CWE-119",
"CWE-125"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/3xxx/CVE-2026-3663.json"
}{
"extracted_events": [
{
"introduced": "1.6.0"
},
{
"last_affected": "1.6.0"
},
{
"introduced": "1.6.1"
},
{
"last_affected": "1.6.1"
},
{
"introduced": "0"
}
],
"cpe": "cpe:2.3:a:xlnt-community:xlnt:*:*:*:*:*:*:*:*",
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
]
}