CVE-2018-16459

Name of the Vulnerable Software and Affected Versions exceljs versions prior to 1.6.0

Description The issue is related to an unescaped payload in exceljs, allowing a possible cross-site scripting (XSS) attack via cell value when a worksheet is displayed in a browser. This is due to exceljs not validating data from parsed XLSX files and embedding HTML tags, like

Recommendations Update to version 1.6.0 or later. As a temporary workaround, consider restricting the display of potentially malicious Excel files in browsers until the issue is resolved.