Le Dinh Hai discovered that Spreadsheet::ParseExcel was passing unvalidated
input from a file into a string-type “eval”. An attacker could craft a
malicious file to achieve arbitrary code execution.

Read More