EPPlus version 8.5.2

Author: JanKallman

SECURITY.md

@@ -1,20 +1,21 @@
 # Security Policy
 
-_Last updated: 2026-01-08_
+*Last updated: 2026-04-16*
 
 ## Supported Versions
 
-EPPlus 7 and 8 are automatically scanned for vulnerabilities and static code analysis is performed as part of the CI. 
+EPPlus 7 and 8 are automatically scanned for vulnerabilities and static code analysis is performed as part of the CI.
 
-| Version | Supported          | Comment            | Deprecation date |
-| ------- | ------------------ | ------------------ |----|
-| 8.x.x   | :white_check_mark: |                    ||
-| 7.x.x   | :white_check_mark: |                    ||
-| 6.x.x   | :x:                |Deprecated/unsupported versions              |2025-12-31|
-| 5.x.x   | :x:                |Deprecated/unsupported versions              |2024-12-31|
-| < 4.5   | :x:                |Deprecated/unsupported versions|2020-12-31|
+|Version|Supported|Comment|Deprecation date|
+|-|-|-|-|
+|8.x.x|:white\_check\_mark:|||
+|7.x.x|:white\_check\_mark:|||
+|6.x.x|:x:|Deprecated/unsupported versions|2025-12-31|
+|5.x.x|:x:|Deprecated/unsupported versions|2024-12-31|
+|< 4.5|:x:|Deprecated/unsupported versions|2020-12-31|
 
 ## Security update policy
+
 Security patches will be provided via new revisions released in our public Nuget feed. One patch for each supported major version/the two latest minor versions will be provided. [Subscribe to our newsletter](https://epplussoftware.com/en/Home/Newsletter) to get updates from EPPlus Software.
 
 ## Reporting a Vulnerability
@@ -26,15 +27,22 @@ If you discover a security vulnerability in EPPlus, please report it through Git
 
 This ensures the report stays private until we have assessed and addressed the issue. Please do not report security vulnerabilities through the public issue tracker.
 
-## Code signing 
+## Code signing
+
 Since version 7.5 the EPPlus Nuget package and the EPPlus libraries/dll:s are digitally signed by EPPlus Software AB.
 
 ## See also
-- [EPPlus versioning](https://github.com/EPPlusSoftware/EPPlus/wiki/Releases-versioning)
+
+* [EPPlus versioning](https://github.com/EPPlusSoftware/EPPlus/wiki/Releases-versioning)
 
 ## Vulnerabilities
+
 |Detected|Resolved|Affected EPPlus versions|CVE|Our comment|Resolution|
-|--------|--------| ----------------------|---|----------|----------|
+|-|-|-|-|-|-|
+|April 15, 2026|April 16, 2026|EPPlus 8.x,targeting .NET 9 or 10|[Microsoft Security Advisory - CVE-2026-33116](https://github.com/advisories/GHSA-37gx-xxp4-5rgx) and [Microsoft Security Advisory - CVE-2026-26171](https://github.com/advisories/GHSA-w3x6-4m5h-cxqf)|Microsoft has released a security fix in System.Security.Cryptography.Xml 10.0.6 and 9.0.15. EPPlus uses this package to create and validate digital signatures for workbooks. The potential risk for most users should be very low.|Patch released in version 8.5.2|
 |October 10, 2024|October 11, 2024|EPPlus 7.x,targeting .NET 7 or 8|[Microsoft Security Advisory CVE-2024-38095](https://github.com/advisories/GHSA-447r-wph3-92pm) and [Microsoft Security Advisory CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w)|Microsoft has released a security fix in Microsoft.Extensions.Configuration.Json 8.0.1. The potential risk for most users should be low.|Patch  released in version 7.4.1|
 |September 9, 2024||EPPlus 7.x, targeting .NET 7 or 8|[Microsoft Security Advisory CVE-2024-38095](https://github.com/advisories/GHSA-447r-wph3-92pm) and [Microsoft Security Advisory CVE-2024-30105](https://github.com/advisories/GHSA-hh2w-p6rv-4g7w)|Microsoft has released security fixes for System.Text.Json and System.Formats.Asn1 (transient dependencies in EPPlus). The potential risk for most users should be low.|Patch  released in version 7.3.2|
 |June 15, 2023|June 15, 2023|EPPlus 6.x prior to 6.2.6, targeting .NET 6 or 7.|[.NET Denial of Service vulnerability (CVE 2023-29331)](https://github.com/advisories/GHSA-555c-2p6r-68mm)|Microsoft has released a security fix for a Denial of Service vulnerability (CVE-2023-29331) in System.Security.Cryptography.Pkcs for .NET 6 and .NET 7. EPPlus uses this component for x509 certificates used when signing VBA projects in a workbook. The potential risk for most users should be low, as the certificates used to sign your workbooks are usually known.|Upgrade to EPPlus 6.2.6 or higher|
+
+
+

appveyor8.yml

@@ -1,4 +1,4 @@
-version: 8.5.1.{build}
+version: 8.5.2.{build}
 branches:
   only:
   - develop8
@@ -10,15 +10,15 @@ install:
     & $env:temp\dotnet-install.ps1 -Architecture x64 -Version '10.0.100' -InstallDir "$env:ProgramFiles\dotnet"
 init:
 - ps: >-
-    Update-AppveyorBuild -Version "8.5.1.$env:appveyor_build_number-$(Get-Date -format yyyyMMdd)-$env:appveyor_repo_branch"
+    Update-AppveyorBuild -Version "8.5.2.$env:appveyor_build_number-$(Get-Date -format yyyyMMdd)-$env:appveyor_repo_branch"
 
-    Write-Host "8.5.1.$env:appveyor_build_number-$(Get-Date -format yyyyMMdd)-$env:appveyor_repo_branch"
+    Write-Host "8.5.2.$env:appveyor_build_number-$(Get-Date -format yyyyMMdd)-$env:appveyor_repo_branch"
 dotnet_csproj:
   patch: true
   file: '**\*.csproj'
   version: '{version}'
-  assembly_version: 8.5.1.{build}
-  file_version: 8.5.1.{build}
+  assembly_version: 8.5.2.{build}
+  file_version: 8.5.2.{build}
 nuget:
   project_feed: true
 before_build:

docs/articles/fixedissues.md

@@ -1,4 +1,16 @@
 # Features / Fixed issues - EPPlus 8
+## Version 8.5.2
+### Security
+* Updated System.Security.Cryptography.Xml to 10.0.6 to address a security vulnerability (CVE-2026-26171 and CVE-2026-33116).
+###Bug Fixes
+* ´ExcelRange.LoadFromCollection´: ´DisplayAttribute.Name´ was used directly instead of ´DisplayAttribute.GetName()´, causing resource keys to appear as column headers instead of localized values when ResourceType was set.
+* ´ExcelRange.LoadFromCollection´: ´EpplusTableColumnAttribute.Order´ was ignored when ´DisplayAttribute´ was also present.
+* Fixed various issues with the LAMBDA function and variable expressions.
+* Fixed an issue with the VSTACK and HSTACK functions when the argument is a single-cell range.
+* The IFS function did not handle arrays in the condition arguments.
+* The SORTBY function now preserves the original order of rows/columns when the sort key is not unique.
+* EPPlus will now throw a ´NotSupportedException´ if opening workbooks saved in the Strict OpenXML format.
+
 ## Version 8.5.1
 * Negation of numeric string values now returns the negated number instead of a #VALUE! error in the formula calculation.
 * ´ExcelPackage.Configure´ now sets ´IConfiguration´ for license info.

src/Directory.Packages.props

@@ -7,12 +7,12 @@
     <PackageVersion Include="Microsoft.IO.RecyclableMemoryStream" Version="3.0.1" />
     <PackageVersion Include="MSTest" Version="3.10.2" />
     <PackageVersion Include="System.ComponentModel.Annotations" Version="5.0.0" />
-    <PackageVersion Include="System.Drawing.Common" Version="8.0.14" />
-    <PackageVersion Include="System.Formats.Asn1" Version="8.0.2" />
-    <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="8.0.1" />
-    <PackageVersion Include="System.Security.Cryptography.Xml" Version="8.0.2" />
-    <PackageVersion Include="System.Text.Encoding.CodePages" Version="8.0.0" />
-    <PackageVersion Include="System.Text.Json" Version="8.0.5" />
+    <PackageVersion Include="System.Drawing.Common" Version="9.0.15" />
+    <PackageVersion Include="System.Formats.Asn1" Version="9.0.15" />
+    <PackageVersion Include="System.Security.Cryptography.Pkcs" Version="9.0.15" />
+    <PackageVersion Include="System.Security.Cryptography.Xml" Version="9.0.15" />
+    <PackageVersion Include="System.Text.Encoding.CodePages" Version="9.0.15" />
+    <PackageVersion Include="System.Text.Json" Version="9.0.15" />
   </ItemGroup>
   <ItemGroup>
     <PackageVersion Include="FakeItEasy" Version="8.0.0" />

src/EPPlus/EPPlus.csproj

@@ -1,9 +1,9 @@
 <Project Sdk="Microsoft.NET.Sdk">
 	<PropertyGroup>
 		<TargetFrameworks>net8.0;net9.0;net10.0;netstandard2.1;netstandard2.0;net462;net35</TargetFrameworks>
-		<AssemblyVersion>8.5.1.0</AssemblyVersion>
-		<FileVersion>8.5.1.0</FileVersion>
-		<Version>8.5.1</Version>
+		<AssemblyVersion>8.5.2.0</AssemblyVersion>
+		<FileVersion>8.5.2.0</FileVersion>
+		<Version>8.5.2</Version>
 		<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
 		<PackageProjectUrl>https://epplussoftware.com</PackageProjectUrl>
 		<Authors>EPPlus Software AB</Authors>
@@ -18,24 +18,28 @@
 		<PackageReadmeFile>readme.md</PackageReadmeFile>
 		<Copyright>EPPlus Software AB</Copyright>
 		<PackageReleaseNotes>
-			EPPlus 8.5.1
+			EPPlus 8.5.2
 
 			IMPORTANT NOTICE!
 			From version 5 EPPlus changes the license model using a dual license, Polyform Non Commercial / Commercial license.
 			EPPlus will still have the source available, but for non Polyform NC compliant projects, EPPlus will provide a commercial license.
 			Commercial licenses can be purchased from https://epplussoftware.com
 			This applies to EPPlus version 5 and later. Earlier versions are still licensed LGPL.
 
-			## Version 8.5.1
+			## Version 8.5.2
+			* Updated System.Security.Cryptography.XML to address a vulnerability.
 			* Minor bug fixes. See https://epplussoftware.com/Developers/MinorFeaturesAndIssues
-			
+
+			## Version 8.5.1
+			* Minor bug fixes.
+
 			## Version 8.5.0
 			* Added ´CancellationToken´ option to the Calculate method.
 			* Added property ´ValueFromCellsRange´ and the ´SetValueFromCellsRange´ method to data labels on chart series.
-			* Minor bug fixes. 
+			* Minor bug fixes.
 
 			## Version 8.4.2
-			* Minor bug fixes. 
+			* Minor bug fixes.
 
 			## Version 8.4.1
 			* Minor bug fixes.
@@ -559,7 +563,8 @@
 			A list of fixed issues can be found here https://epplussoftware.com/docs/7.0/articles/fixedissues.html
 
 			Version history
-			8.5.1			20260330 Minor bug fixes. See https://epplussoftware.com/Developers/MinorFeaturesAndIssues
+			8.5.2			20260416 Minor bug fixes. See https://epplussoftware.com/Developers/MinorFeaturesAndIssues
+			8.5.1			20260330 Minor bug fixes. 
 			8.5.0			20260306 Minor features and bug fixes.
 			8.4.2			20260204 Minor bug fixes.
 			8.4.1			20260112 Minor bug fixes.
@@ -760,20 +765,20 @@
 	</ItemGroup>
 
 	<ItemGroup Condition="'$(TargetFramework)' == 'net9.0'">
-		<PackageReference Include="Microsoft.Extensions.Configuration.Json" VersionOverride="9.0.3" />
+		<PackageReference Include="Microsoft.Extensions.Configuration.Json" VersionOverride="9.0.15" />
 		<PackageReference Include="Microsoft.IO.RecyclableMemoryStream" />
-		<PackageReference Include="System.Security.Cryptography.Pkcs" VersionOverride="9.0.3" />
+		<PackageReference Include="System.Security.Cryptography.Pkcs" VersionOverride="9.0.15" />
 		<PackageReference Include="System.ComponentModel.Annotations" />
-		<PackageReference Include="System.Text.Encoding.CodePages" VersionOverride="9.0.3" />
-		<PackageReference Include="System.Security.Cryptography.Xml" VersionOverride="9.0.3" />
+		<PackageReference Include="System.Text.Encoding.CodePages" VersionOverride="9.0.15" />
+		<PackageReference Include="System.Security.Cryptography.Xml" VersionOverride="9.0.15" />
 	</ItemGroup>
 	<ItemGroup Condition="'$(TargetFramework)' == 'net10.0'">
-		<PackageReference Include="Microsoft.Extensions.Configuration.Json" VersionOverride="10.0.0" />
+		<PackageReference Include="Microsoft.Extensions.Configuration.Json" VersionOverride="10.0.6" />
 		<PackageReference Include="Microsoft.IO.RecyclableMemoryStream" />
-		<PackageReference Include="System.Security.Cryptography.Pkcs" VersionOverride="10.0.0" />
+		<PackageReference Include="System.Security.Cryptography.Pkcs" VersionOverride="10.0.6" />
 		<PackageReference Include="System.ComponentModel.Annotations" />
-		<PackageReference Include="System.Text.Encoding.CodePages" VersionOverride="10.0.0" />
-		<PackageReference Include="System.Security.Cryptography.Xml" VersionOverride="10.0.0" />
+		<PackageReference Include="System.Text.Encoding.CodePages" VersionOverride="10.0.6" />
+		<PackageReference Include="System.Security.Cryptography.Xml" VersionOverride="10.0.6" />
 	</ItemGroup>
 	<ItemGroup>
 		<Compile Remove="LoadFunctions\HeaderReader.cs" />

src/EPPlus/FormulaParsing/Excel/Functions/BuiltInFunctions.cs

@@ -336,7 +336,7 @@ public BuiltInFunctions()
             // Reference and lookup
             Functions["address"] = new Address();
             Functions["areas"] = new Areas();
-            Functions["groupby"] = new GroupBy();
+            //Functions["groupby"] = new GroupBy();  //Will be released in next minor release.
             Functions["hlookup"] = new HLookup();
             Functions["vlookup"] = new VLookup();
             Functions["xlookup"] = new Xlookup();