EPPlus version 8.5.3

JanKallman · JanKallman · commit b333523acb0d · 2026-04-16T12:08:21.000+02:00
diff --git a/SECURITY.md b/SECURITY.md
@@ -39,7 +39,7 @@ Since version 7.5 the EPPlus Nuget package and the EPPlus libraries/dll:s are di
 
 |Detected|Resolved|Affected EPPlus versions|CVE|Our comment|Resolution|
 |-|-|-|-|-|-|
-|April 15, 2026|April 16, 2026|EPPlus 8.x,targeting .NET 9 or 10|[Microsoft Security Advisory - CVE-2026-33116](https://github.com/advisories/GHSA-37gx-xxp4-5rgx) and [Microsoft Security Advisory - CVE-2026-26171](https://github.com/advisories/GHSA-w3x6-4m5h-cxqf)|Microsoft has released a security fix in System.Security.Cryptography.Xml 10.0.6 and 9.0.15. EPPlus uses this package to create and validate digital signatures for workbooks. The potential risk for most users should be very low.|Patch released in version 8.5.2|
+|April 15, 2026|April 16, 2026|EPPlus 8.x,targeting .NET 9 or 10|[Microsoft Security Advisory - CVE-2026-33116](https://github.com/advisories/GHSA-37gx-xxp4-5rgx) and [Microsoft Security Advisory - CVE-2026-26171](https://github.com/advisories/GHSA-w3x6-4m5h-cxqf)|Microsoft has released a security fix in System.Security.Cryptography.Xml 10.0.6 and 9.0.15. EPPlus uses this package to create and validate digital signatures for workbooks. The potential risk for most users should be very low.|Patch released in version 8.5.3|
 |October 10, 2024|October 11, 2024|EPPlus 7.x,targeting .NET 7 or 8|[Microsoft Security Advisory CVE-2024-38095](https://github.com/advisories/GHSA-447r-wph3-92pm) and [Microsoft Security Advisory CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w)|Microsoft has released a security fix in Microsoft.Extensions.Configuration.Json 8.0.1. The potential risk for most users should be low.|Patch  released in version 7.4.1|
 |September 9, 2024||EPPlus 7.x, targeting .NET 7 or 8|[Microsoft Security Advisory CVE-2024-38095](https://github.com/advisories/GHSA-447r-wph3-92pm) and [Microsoft Security Advisory CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w)|Microsoft has released security fixes for System.Text.Json and System.Formats.Asn1 (transient dependencies in EPPlus). The potential risk for most users should be low.|Patch  released in version 7.3.2|
 |June 15, 2023|June 15, 2023|EPPlus 6.x prior to 6.2.6, targeting .NET 6 or 7.|[.NET Denial of Service vulnerability (CVE 2023-29331)](https://github.com/advisories/GHSA-555c-2p6r-68mm)|Microsoft has released a security fix for a Denial of Service vulnerability (CVE-2023-29331) in System.Security.Cryptography.Pkcs for .NET 6 and .NET 7. EPPlus uses this component for x509 certificates used when signing VBA projects in a workbook. The potential risk for most users should be low, as the certificates used to sign your workbooks are usually known.|Upgrade to EPPlus 6.2.6 or higher|
diff --git a/docs/articles/fixedissues.md b/docs/articles/fixedissues.md
@@ -1,4 +1,7 @@
 # Features / Fixed issues - EPPlus 8
+## Version 8.5.3
+* Downgraded references incorrectly update to 9.x to 8.x in version 8.5.2.
+
 ## Version 8.5.2
 ### Security
 * Updated System.Security.Cryptography.Xml to 10.0.6 to address a security vulnerability (CVE-2026-26171 and CVE-2026-33116).
diff --git a/src/Directory.Packages.props b/src/Directory.Packages.props
@@ -7,12 +7,12 @@
     <PackageVersion Include="Microsoft.IO.RecyclableMemoryStream" Version="3.0.1" />
     <PackageVersion Include="MSTest" Version="3.10.2" />
     <PackageVersion Include="System.ComponentModel.Annotations" Version="5.0.0" />
-    <PackageVersion Include="System.Drawing.Common" Version="9.0.15" />
-    <PackageVersion Include="System.Formats.Asn1" Version="9.0.15" />
-    <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="9.0.15" />
-    <PackageVersion Include="System.Security.Cryptography.Xml" Version="9.0.15" />
-    <PackageVersion Include="System.Text.Encoding.CodePages" Version="9.0.15" />
-    <PackageVersion Include="System.Text.Json" Version="9.0.15" />
+    <PackageVersion Include="System.Drawing.Common" Version="8.0.26" />
+    <PackageVersion Include="System.Formats.Asn1" Version="8.0.2" />
+    <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="8.0.1" />
+    <PackageVersion Include="System.Security.Cryptography.Xml" Version="8.0.3" />
+    <PackageVersion Include="System.Text.Encoding.CodePages" Version="8.0.0" />
+    <PackageVersion Include="System.Text.Json" Version="8.0.6" />
   </ItemGroup>
   <ItemGroup>
     <PackageVersion Include="FakeItEasy" Version="8.0.0" />
diff --git a/src/EPPlus/EPPlus.csproj b/src/EPPlus/EPPlus.csproj
@@ -1,9 +1,9 @@
 ﻿<Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
 		<TargetFrameworks>net8.0;net9.0;net10.0;netstandard2.1;netstandard2.0;net462;net35</TargetFrameworks>
-		<AssemblyVersion>8.5.2.0</AssemblyVersion>
-		<FileVersion>8.5.2.0</FileVersion>
-		<Version>8.5.2</Version>
+		<AssemblyVersion>8.5.3.0</AssemblyVersion>
+		<FileVersion>8.5.3.0</FileVersion>
+		<Version>8.5.3</Version>
 		<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
 		<PackageProjectUrl>https://epplussoftware.com</PackageProjectUrl>
 		<Authors>EPPlus Software AB</Authors>
@@ -18,14 +18,17 @@
 		<PackageReadmeFile>readme.md</PackageReadmeFile>
 		<Copyright>EPPlus Software AB</Copyright>
 		<PackageReleaseNotes>
-			EPPlus 8.5.2
+			EPPlus 8.5.3
 
 			IMPORTANT NOTICE!
 			From version 5 EPPlus changes the license model using a dual license, Polyform Non Commercial / Commercial license.
 			EPPlus will still have the source available, but for non Polyform NC compliant projects, EPPlus will provide a commercial license.
 			Commercial licenses can be purchased from https://epplussoftware.com
 			This applies to EPPlus version 5 and later. Earlier versions are still licensed LGPL.
 
+			## Version 8.5.3
+			* Downgraded .NET 8 references incorrectly update to 9.x to 8.x.
+
 			## Version 8.5.2
 			* Updated System.Security.Cryptography.XML to address a vulnerability.
 			* Minor bug fixes. See https://epplussoftware.com/Developers/MinorFeaturesAndIssues
@@ -563,8 +566,9 @@
 			A list of fixed issues can be found here https://epplussoftware.com/docs/7.0/articles/fixedissues.html
 
 			Version history
+			8.5.3			20260416 Updated .NET 8 references incorrectly update to 9.x to 8.x.
 			8.5.2			20260416 Minor bug fixes. See https://epplussoftware.com/Developers/MinorFeaturesAndIssues
-			8.5.1			20260330 Minor bug fixes. 
+			8.5.1			20260330 Minor bug fixes.
 			8.5.0			20260306 Minor features and bug fixes.
 			8.4.2			20260204 Minor bug fixes.
 			8.4.1			20260112 Minor bug fixes.
