Microsoft Excel Remote Code Execution Vulnerability

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally...

Description of the security update for Excel 2016: May 12, 2026 (KB5002865)

Description of the security update for Excel 2016: May 12, 2026 KB5002865 Summary This security update resolves Microsoft Excel remote code execution vulnerability and Microsoft Excel Information Disclosure vulnerability. To learn more about the vulnerabilities, see the following security...

Description of the security update for Office Online Server: May 12, 2026 (KB5002871)

Description of the security update for Office Online Server: May 12, 2026 KB5002871 Summary This security update resolves Microsoft Excel remote code execution vulnerability and Microsoft Excel Information Disclosure vulnerability. To learn more about the vulnerabilities, see the following securi...

Microsoft Excel 安全漏洞

Microsoft Excel is a spreadsheet software within the Office suite developed by Microsoft Corporation. There are security vulnerabilities in Microsoft Excel. Attackers can exploit these vulnerabilities to execute code remotely. The following products and versions are affected: Office Online Server...

Security Updates for Microsoft Office Online Server (May 2026)

The Microsoft Office Online Server or Office Web Apps installation on the remote host is missing security updates. It is, therefore, affected by multiple vulnerabilities: - Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. CVE-2026-40359 -...

Microsoft Excel 缓冲区错误漏洞

Microsoft Excel is a spreadsheet software within the Office suite developed by Microsoft Corporation. There is a buffer error vulnerability in Microsoft Excel. Attackers can exploit this vulnerability to obtain sensitive information. The following products and versions are affected: Office Online...

PhpSpreadsheet 安全漏洞

PhpSpreadsheet is a PHP library developed by PHPOffice, designed for reading and writing spreadsheet files. Vulnerabilities exist in versions prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0 of PhpSpreadsheet. These vulnerabilities stem from the XLSX reader’s...

Microsoft Excel 资源管理错误漏洞

Microsoft Excel is a spreadsheet software within the Office suite developed by Microsoft Corporation. There is a resource management vulnerability in Microsoft Excel. Attackers can exploit this vulnerability to execute code remotely. The following products and versions are affected: Office Online...

Security Updates for Microsoft Excel Products (May 2026)

The Microsoft Excel Products are missing a security update. They are, therefore, affected by multiple vulnerabilities: - Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. CVE-2026-40359 - Heap-based buffer overflow in Microsoft Office Excel allows a...

PT-2026-40194

Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally...

PT-2026-40197

Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally...

PT-2026-40195

Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally...

Microsoft Office 访问控制错误漏洞

Microsoft Office is a suite of office software products developed by Microsoft Corporation in the United States. Common components of this product include Word, Excel, Access, PowerPoint, and FrontPage. There is an access control error vulnerability in Microsoft Office. Attackers utilize this...

Cross-site Scripting (XSS)

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Cross-site Scripting XSS in the process that previews Excel file attachments using the sheettohtml function. An attacker can execute arbitrary scripts in the context of the victim's browser by uploading a...

Open WebUI has stored XSS in Excel file preview

Summary Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheettohtml to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. Details The...

GHSA-JWF8-PV5P-VHMC Open WebUI has stored XSS in Excel file preview

Summary Excel file attachments are previewed in an unsafe way. A crafted XLSX file payload can be used to cause the sheetjs function sheettohtml to embed an XSS payload into the generated HTML. This is subsequently added to the DOM unsanitized via @html causing the payload to trigger. Details The...

CVE-2026-42267

Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLEUSER can create a tag with a formula string as its name e.g. =SUM54+51 via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue joi...

CVE-2026-42267 Kimai: Formula Injection via tag names in XLSX export

Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLEUSER can create a tag with a formula string as its name e.g. =SUM54+51 via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue joi...

CVE-2026-42267

Kimai is an open-source time tracking application. From version 2.27.0 to before version 2.54.0, any ROLEUSER can create a tag with a formula string as its name e.g. =SUM54+51 via POST /api/tags and assign it to a timesheet. When an admin exports timesheets to XLSX, ArrayFormatter.formatValue joi...

PT-2026-39266

Name of the Vulnerable Software and Affected Versions Open WebUI versions prior to 0.8.0 Description Excel file attachments are previewed unsafely. A crafted XLSX file can cause the sheet to html function to embed a Cross-Site Scripting XSS payload into the generated HTML. This content is then...