If you suspect you have found a security vulnerability in Apache POI code, please read https://www.apache.org/security/ for how to report the issue. Please do not report the details publicly until the report is reviewed.
We strongly discourage users of Apache POI from using the lib to parse documents from untrusted sources. For more details, please read https://poi.apache.org/security.html.