PatchSiren cyber security CVE debrief
CVE-2026-59161 qax-os CVE debrief
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:17:02.250Z and has not been modified since then. The Excelize library, used for reading and writing Microsoft Excel spreadsheets in Go, had a vulnerability prior to version 2.11.0. This vulnerability allows a small XLSX file with a row number above 1048576 and no cell coordinate to make GetRows append empty rows up to an attacker-controlled index, consuming excessive memory and CPU. Users of Excelize library versions prior to 2.11.0 should review and update their dependencies to prevent potential memory and CPU consumption issues.
- Vendor
- qax-os
- Product
- excelize
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-10
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-10
- Advisory updated
- 2026-07-10
Who should care
Users of Excelize library versions prior to 2.11.0 should review and update their dependencies to prevent potential memory and CPU consumption issues. This includes developers and administrators who use the Excelize library in their applications or infrastructure.
Technical summary
The Excelize library, used for reading and writing Microsoft Excel spreadsheets in Go, had a vulnerability prior to version 2.11.0. The streaming worksheet reader used by Rows and GetRows did not enforce the TotalRows limit on the row r attribute. This allowed a small XLSX file with a row number above 1048576 and no cell coordinate to make GetRows append empty rows up to an attacker-controlled index, consuming excessive memory and CPU. The vulnerability is fixed in version 2.11.0.
Defensive priority
High priority due to potential for denial of service through excessive resource consumption.
Recommended defensive actions
- Update Excelize library to version 2.11.0 or later
- Review and validate input XLSX files for suspicious row numbers
- Implement memory and CPU usage monitoring for Excelize library usage
- Consider compensating controls such as rate limiting or resource quotas
- Review relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record and NVD entry provide limited information about the vulnerability. Further analysis and testing may be required to fully understand the impact and potential mitigations. The vulnerability affects Excelize library versions prior to 2.11.0. Users should review and validate input XLSX files for suspicious row numbers. The streaming worksheet reader used by Rows and GetRows does not enforce the TotalRows limit on the row r attribute, allowing a small XLSX file with a row number above 1048576 and no cell coordinate to make GetRows append empty rows up to an attacker-controlled index and consume excessive memory and CPU.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:17:02.250Z and has not been modified since then.