CVE-2026-26171

Description

CVE ID: CVE-2026-26171
Package: System.Security.Cryptography.Xml
Package version: 10.0.0
Severity: High

Affected EPPlus Versions

8.5.1
8.5.0
8.4.2
8.4.1
8.4.0
8.3.1
8.3.0
8.2.1
8.2.0
8.1.1
8.1.0
8.0.8
8.0.7
8.0.6
8.0.5
8.0.4
8.0.3
8.0.2
8.0.1

Status

fix-available — A fix is available. See advisory for details.

Advisory

Microsoft has released a security fix for a vulnerability in System.Security.Cryptography.Xml addressed in versions 10.0.6 and 9.0.15. EPPlus uses this package to create and validate digital signatures for workbooks. The risk for EPPlus users is considered very low, as EPPlus only passes known and validated XML to the affected library, which limits the ability for an attacker to exploit the vulnerability through EPPlus.

Update to EPPlus 8.5.3 to resolve this issue.

Package Fix Information

This information refers to the upstream package (System.Security.Cryptography.Xml), not EPPlus. See the advisory above for EPPlus-specific guidance.

Fix state: fixed
Fixed in version: 10.0.6

Timeline

First detected: 2026-04-16
Last updated: 2026-04-16