Severity: moderate

Cross-Site Scripting



Versions of exceljs before 1.6.0 are vulnerable to cross-site scripting.

This vulnerability is due to exceljs does not validate data from parsed XLSX file and allows to embed HTML tags, like <script>, directly in the sheet cells. Because of this it's possible to inject malicious JavaScript code and execute it when data from the sheet were displayed in the browser.


Update to version 1.6.0 or later.

Have content suggestions? Send them to [email protected]

Advisory timeline

  1. published

    Advisory Published
    Dec 11th, 2018