CVE-2026-54063
QAX-OS · Excelize
The Excelize Go library is vulnerable to a resource exhaustion flaw due to improper limits on resource allocation during spreadsheet processing.
Executive summary
The Excelize library for Go is susceptible to a denial-of-service vulnerability that allows unauthenticated attackers to cause resource exhaustion.
Vulnerability
This is a resource allocation vulnerability (CWE-770) where the library fails to properly throttle or limit resources when parsing spreadsheets. The vulnerability is exploitable by an unauthenticated attacker, as indicated by the CVSS vector (PR:N).
Business impact
A successful exploit allows an attacker to crash the application or exhaust system memory, leading to service unavailability. Given the CVSS score of 7.5, this high-severity flaw poses a significant risk to the availability of any system relying on Excelize to process untrusted user-submitted Excel files.
Remediation
Immediate Action: Update the Excelize Go library to version 2.11.0 or later to implement necessary resource constraints.
Proactive Monitoring: Monitor application logs for unusual spikes in memory consumption or CPU usage during spreadsheet upload and processing tasks.
Compensating Controls: Implement strict file size limits and scan all incoming Excel files for malicious structure or excessive complexity before passing them to the Excelize library for processing.
Exploitation status
Public Exploit Available: No
Analyst recommendation
Organizations utilizing Excelize for processing external spreadsheet data must prioritize upgrading to version 2.11.0. Failure to patch leaves the application infrastructure vulnerable to trivial denial-of-service attacks, which can be easily automated by external actors.