CVE-2023-7101

CVE-2023-7101: Arbitrary Code Execution (ACE) Vulnerability

Vendor Douglas Wilson
Product Spreadsheet::ParseExcel
Weakness CWE-95 · Eval injection
KEV Status Known Exploited
Published December 24, 2023
Last update October 21, 2025

CVSS base score

What the vulnerability does

01Description

Spreadsheet::ParseExcel version 0.65 is a Perl module used for parsing Excel files. Spreadsheet::ParseExcel is vulnerable to an arbitrary code execution (ACE) vulnerability due to passing unvalidated input from a file into a string-type “eval”. Specifically, the issue stems from the evaluation of Number format strings (not to be confused with printf-style format strings) within the Excel parsing logic.

CISA mandated remediation

02CISA Required Action

Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Key dates

03Disclosure timeline

December 24, 2023 CVE published
October 21, 2025 Record updated