Description
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
Published: 2026-05-05
Score: 4.8 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from PhpSpreadsheet’s HTML Writer skipping the standard escaping routine when a custom number format contains the @ placeholder followed by quoted literal text. In this scenario, the library substitutes the raw cell value directly into the HTML output, allowing any embedded markup to be rendered. An attacker supplying malicious cell contents can inject arbitrary HTML or JavaScript, leading to cross‑site scripting attacks once the HTML export is served to users. This flaw is a classic XSS weakness (CWE‑79).

Affected Systems

The flaw is present in all PHPOffice:PhpSpreadsheet releases from 1.30.3 through 5.6.0, except the patched versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0. Environments that use any of those vulnerable versions and employ the HTML Writer to convert spreadsheets to HTML are exposed.

Risk and Exploitability

The base CVSS score of 4.8 reflects a moderate risk. No EPSS data is currently available, and the vulnerability is not listed in CISA KEV. Exploitation requires delivering a spreadsheet file that will be processed by the HTML Writer, so systems that load third‑party spreadsheet data and render it as HTML are the primary targets. Successful exploitation permits arbitrary script injection, which could deface pages, harvest session cookies, or enable phishing, but it does not provide direct remote code execution or privilege escalation on its own.

Generated by OpenCVE AI on May 5, 2026 at 21:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PhpSpreadsheet to a fixed release—at least 1.30.4 or newer—so that the HTML Writer restores proper escaping. If a full library upgrade is impossible, consider upgrading only the HTML Writer component if it can be isolated.
  • If an upgrade cannot be performed immediately, avoid using custom number formats that contain the @ placeholder with quoted literal text in any code paths that invoke the HTML Writer, and sanitize cell values before exporting them so that no malicious markup can be injected.
  • Audit all code that loads spreadsheet files from untrusted sources and enforce strict input validation or sandboxing so that only trusted data is passed to the HTML Writer. As a temporary measure, disable the HTML Writer for sensitive contexts if remediation cannot be applied promptly.

Generated by OpenCVE AI on May 5, 2026 at 21:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-6wpp-88cp-7q68 PhpSpreadsheet has XSS via NumberFormat @ Text Substitution in HTML Writer
History

Tue, 05 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Phpoffice
Phpoffice phpspreadsheet
Vendors & Products Phpoffice
Phpoffice phpspreadsheet

Tue, 05 May 2026 20:00:00 +0000

Type Values Removed Values Added
Description PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
Title PhpSpreadsheet XSS via number format text substitution in HTML Writer
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Phpoffice Phpspreadsheet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-05T19:39:54.507Z

Reserved: 2026-04-02T19:25:52.192Z

Link: CVE-2026-35453

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T20:16:38.367

Modified: 2026-05-05T20:16:38.367

Link: CVE-2026-35453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T22:00:11Z

Weaknesses