Cyber Resilience

CVE-2026-3663

MediumPublic PoC

Published: 07 March 2026

Published
07 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score v4 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0003 7.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-3663 is a medium-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Xlnt-Community Xlnt. Its CVSS base score is 4.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-3663 is an out-of-bounds read vulnerability in the xlnt-community xlnt library versions up to 1.6.1. The issue resides in the XLSX File Parser component, specifically the function xlnt::detail::compound_document_istreambuf::xsgetn within the file source/detail/cryptography/compound_document.cpp. Manipulation of input triggers the out-of-bounds read, as documented under CWEs-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-125 (Out-of-bounds Read). The vulnerability carries a CVSS v3.1 base score of 3.3.

Exploitation requires local access (AV:L) with low privileges (PR:L), low attack complexity (AC:L), and no user interaction (UI:N), resulting in unchanged scope (S:U). Successful exploitation leads to low-impact availability disruption (A:L) with no confidentiality (C:N) or integrity (I:N) effects, potentially causing a denial-of-service such as application crash.

Advisories recommend applying the patch named 147, available via the xlnt-community/xlnt GitHub pull request at https://github.com/xlnt-community/xlnt/pull/147, which addresses the issue reported in https://github.com/xlnt-community/xlnt/issues/139. A public proof-of-concept exploit exists at https://github.com/oneafter/0128/blob/main/xl3/repro.

The exploit has been made public, increasing the risk for unpatched xlnt deployments parsing untrusted XLSX files locally.

EU & UK References

Vulnerability details

A vulnerability was found in xlnt-community xlnt up to 1.6.1. This issue affects the function xlnt::detail::compound_document_istreambuf::xsgetn of the file source/detail/cryptography/compound_document.cpp of the component XLSX File Parser. Performing a manipulation results in out-of-bounds read. The attack is only possible with local…

more

access. The exploit has been made public and could be used. The patch is named 147. It is recommended to apply a patch to fix this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

OOB read in XLSX parser enables local application crash/DoS via malicious file (T1499.004 Application or System Exploitation); no RCE, info leak, or priv-esc per CVSS (C:N/I:N/A:L, AV:L).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3463Same product: Xlnt-Community Xlnt
CVE-2026-3386Shared CWE-119, CWE-125
CVE-2026-2659Shared CWE-119, CWE-125
CVE-2026-2858Shared CWE-119, CWE-125
CVE-2026-3731Shared CWE-119, CWE-125
CVE-2026-5315Shared CWE-119, CWE-125
CVE-2026-5314Shared CWE-119, CWE-125
CVE-2026-2662Shared CWE-119, CWE-125
CVE-2026-2644Shared CWE-119, CWE-125
CVE-2025-24265Shared CWE-125

Affected Assets

xlnt-community
xlnt
≤ 1.6.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires applying the available patch (PR 147) that eliminates the out-of-bounds read in the XLSX parser.

prevent

Mandates input validation and bounds checking on untrusted XLSX content before it reaches compound_document_istreambuf::xsgetn.

prevent

Requires memory-protection mechanisms that can contain or block the out-of-bounds read from corrupting adjacent memory.

References