Description
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.
Published: 2026-05-06
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from the HTML writer in PhpSpreadsheet that omits htmlspecialchars escaping when a cell’s formatted value differs from the original value. When an attacker supplies a custom number format containing the placeholder @ together with literal characters, the formatter substitutes @ with the cell value and adds the literals, producing a formatted string that skips escaping. This allows an attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and served to users to inject arbitrary script code, resulting in stored cross‑site scripting. The impact is that any user viewing the rendered HTML could execute malicious code in their browser, compromising confidentiality, integrity, and availability of the affected application or its users.

Affected Systems

This issue affects the PHPOffice PhpSpreadsheet library. Versions prior to 5.7.0, 3.10.5, 2.4.5, 2.1.16, or 1.30.4 are vulnerable. The vulnerability exists whenever the library’s HTML writer processes user‑supplied spreadsheets containing malicious custom number formats.

Risk and Exploitability

The CVSS score of 5.4 indicates a moderate impact, and the lack of an EPSS score means current exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog, suggesting no active weaponized exploits are publicly known. The likely attack vector requires that an attacker be able to upload a spreadsheet that is later rendered to HTML for other users, a scenario common in shared document platforms or web applications that display spreadsheet content. If such a path exists, an attacker can achieve stored XSS, which may lead to credential theft or session hijacking.

Generated by OpenCVE AI on May 6, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PhpSpreadsheet to a version that includes the fix (5.7.0 or newer, 3.10.5 or newer, 2.4.5 or newer, 2.1.16 or newer, or 1.30.4 or newer).
  • If upgrading is not immediately possible, sanitize all output of the HTML writer or apply htmlspecialchars to rendered HTML before sending to browsers.
  • Verify that spreadsheets are validated before parsing and restrict the ability to set custom number formats or remove them before rendering.

Generated by OpenCVE AI on May 6, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hrmw-qprp-wgmc PhpSpreadsheet has XSS via number format code with @ text placeholder bypasses htmlspecialchars in HTML writer
History

Thu, 07 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Phpoffice
Phpoffice phpspreadsheet
Vendors & Products Phpoffice
Phpoffice phpspreadsheet

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.
Title PhpSpreadsheet vulnerable to XSS in HTML writer via custom number format codes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Phpoffice Phpspreadsheet
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-07T14:03:36.388Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40296

cve-icon Vulnrichment

Updated: 2026-05-07T14:03:32.309Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T22:16:25.510

Modified: 2026-05-07T15:47:06.387

Link: CVE-2026-40296

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T22:45:13Z

Weaknesses