PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-59162 qax-os CVE debrief

CVE-2026-59162 is a vulnerability in Excelize, a Go library for reading and writing Microsoft Excel spreadsheets. Prior to version 2.11.0, Excelize does not properly handle shared-string cell values, allowing an attacker to trigger a panic when reading a malformed XLSX file through the GetCellValue or GetRows functions. The vulnerability exists because Excelize uses strconv.Atoi to parse shared-string cell values and only checks the upper bound before indexing the shared string slice. This allows an XLSX file containing a shared-string cell with -1 to trigger sharedStrings[-1] and cause a panic. The issue was fixed in version 2.11.0. Developers using the Excelize library in their Go applications should be aware of this vulnerability and take steps to ensure they are using a patched version of the library.

Vendor
qax-os
Product
excelize
CVSS
MEDIUM 6.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Developers using the Excelize library in their Go applications should be aware of this vulnerability and take steps to ensure they are using a patched version of the library. They should validate and sanitize XLSX file inputs, implement error handling for GetCellValue and GetRows functions, and review compensating controls for exposed systems while remediation is scheduled and verified.

Technical summary

The vulnerability exists because Excelize uses strconv.Atoi to parse shared-string cell values and only checks the upper bound before indexing the shared string slice. This allows an XLSX file containing a shared-string cell with -1 to trigger sharedStrings[-1] and cause a panic. The issue was fixed in version 2.11.0. Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell values with strconv.Atoi and checks only the upper bound before indexing the shared string slice, allowing an XLSX file containing a shared-string cell with -1 to trigger sharedStrings[-1] and panic when read through GetCellValue or GetRows.

Defensive priority

Medium

Recommended defensive actions

  • Update to Excelize version 2.11.0 or later
  • Validate and sanitize XLSX file inputs
  • Implement error handling for GetCellValue and GetRows functions
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-10T17:17:02.377Z and last modified on 2026-07-10T19:17:26.940Z. The NVD entry is currently Undergoing Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. Excelize is a Go language library for reading and writing Microsoft Excel spreadsheets. Prior to 2.11.0, Excelize parses shared-string cell values with strconv.Atoi and checks only the upper bound before indexing the shared string slice, allowing an XLSX file containing a shared-string cell with -1 to trigger sharedStrings[-1] and panic when read through GetCellValue or GetRows.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:17:02.377Z and has not been modified since then.