PhpSpreadsheet vulnerable to XSS in HTML writer via custom number...

5.4 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Description

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.

Basic Information

ID CVE-2026-40296

Source GitHub_M

Published May 6, 2026 at 20:48

Affected Product

Vendor PHPOffice

Product PhpSpreadsheet

Version >= 4.0.0, <= 5.6.0

Affected Versions PHPOffice PhpSpreadsheet >= 4.0.0, <= 5.6.0
PHPOffice PhpSpreadsheet >= 3.3.0, <= 3.10.4
PHPOffice PhpSpreadsheet >= 2.2.0, <= 2.4.4
PHPOffice PhpSpreadsheet >= 2.0.0, <= 2.1.15
PHPOffice PhpSpreadsheet <= 1.30.3

CWE Classification

CWE-79

References

github.com /PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hrmw-qprp-wgmc

{
    "lastseen": "",
    "description": "PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example \". @\", \"@ \", or \"x@\"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.",
    "published": "2026-05-06T20:48:34.504Z",
    "modified": "2026-05-06T20:48:34.504Z",
    "type": "cve",
    "title": "PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes",
    "source": "GitHub_M",
    "references": "https://github.com/PHPOffice/PhpSpreadsheet/security/advisories/GHSA-hrmw-qprp-wgmc",
    "id": "CVE-2026-40296",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "PHPOffice PhpSpreadsheet >= 4.0.0, <= 5.6.0\nPHPOffice PhpSpreadsheet >= 3.3.0, <= 3.10.4\nPHPOffice PhpSpreadsheet >= 2.2.0, <= 2.4.4\nPHPOffice PhpSpreadsheet >= 2.0.0, <= 2.1.15\nPHPOffice PhpSpreadsheet <= 1.30.3",
    "sourceHref": "",
    "cvss": {
        "score": 5.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PhpSpreadsheet",
    "version": ">= 4.0.0, <= 5.6.0",
    "vendor": "PHPOffice",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes_CVE-2026-40296