CVE-2026-35453
Analyzed Analyzed - Analysis Complete
HTML Injection in PhpSpreadsheet via Custom Number Format

Publication date: 2026-05-05

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
PhpSpreadsheet is a library for reading and writing spreadsheet files. In versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, the HTML Writer skips htmlspecialchars() output escaping when a cell uses a custom number format containing the @ text placeholder with additional literal text (e.g., @ "items"). The escaping is only applied when the formatted output strictly equals the original cell value. When the format code contains @ with quoted literal text, the formatter substitutes the raw cell value into the format string and returns early without invoking the escaping callback. An attacker who can control cell content in a spreadsheet processed by the HTML Writer can inject arbitrary HTML and JavaScript into the generated output. This issue has been fixed in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-08
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35453
EUVD
EUVD-2026-27472
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
phpoffice phpspreadsheet to 1.30.4 (exc)
phpoffice phpspreadsheet From 2.0.0 (inc) to 2.1.16 (exc)
phpoffice phpspreadsheet From 2.2.0 (inc) to 2.4.5 (exc)
phpoffice phpspreadsheet From 3.3.0 (inc) to 3.10.5 (exc)
phpoffice phpspreadsheet From 4.0.0 (inc) to 5.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-35453 vulnerability in PhpSpreadsheet is a Cross-Site Scripting (XSS) issue in the HTML Writer component. It occurs when a spreadsheet cell uses a custom number format containing the @ text placeholder along with additional literal text (for example, @ "items" or "Total: "@). In these cases, the HTML Writer skips the proper escaping of HTML special characters by the htmlspecialchars() function because the formatted output differs from the original cell value.

This means that an attacker who can control the content of a cell in a spreadsheet processed by PhpSpreadsheet's HTML Writer can inject arbitrary HTML or JavaScript into the generated HTML output, potentially leading to XSS attacks.

The vulnerability affects PhpSpreadsheet versions 1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0, and has been fixed in later versions.

Impact Analysis

This vulnerability can allow an attacker to inject malicious HTML or JavaScript code into the HTML output generated by PhpSpreadsheet when processing specially crafted spreadsheet files.

If the generated HTML is served from a web server, this can lead to Cross-Site Scripting (XSS) attacks, which may allow attackers to execute arbitrary scripts in the context of the victim's browser.

Such attacks can result in theft of user credentials, session hijacking, defacement, or other malicious activities depending on the context in which the HTML output is used.

Detection Guidance

Detection of this vulnerability involves identifying usage of vulnerable PhpSpreadsheet versions (1.30.3 and earlier, 2.0.0 through 2.1.15, 2.2.0 through 2.4.4, 3.3.0 through 3.10.4, and 4.0.0 through 5.6.0) and checking for processing of spreadsheet files that contain cells with custom number formats using the @ text placeholder combined with additional literal text.

You can scan your systems or applications for the PhpSpreadsheet library version by running commands such as:

  • For PHP Composer projects: `composer show phpoffice/phpspreadsheet | grep versions`
  • For manual installations, check the version in the PhpSpreadsheet source files or documentation.

Additionally, to detect potential exploitation attempts, monitor logs or inputs for spreadsheet files containing custom number formats with the @ placeholder and literal text, especially if these files are processed to generate HTML output.

Mitigation Strategies

The immediate mitigation step is to upgrade the PhpSpreadsheet library to a fixed version. The vulnerability has been patched in versions 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.

If upgrading is not immediately possible, avoid processing or accepting spreadsheet files that contain cells with custom number formats using the @ placeholder combined with additional literal text, as these can be used to inject malicious HTML or JavaScript.

Also, ensure that any HTML output generated from spreadsheets is properly escaped and sanitized before being served to users.

Compliance Impact

The vulnerability in PhpSpreadsheet allows an attacker to inject arbitrary HTML and JavaScript into the generated HTML output via a Cross-Site Scripting (XSS) flaw. This could lead to unauthorized access or manipulation of data when the HTML output is served from a web server.

Such XSS vulnerabilities can impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and disclosure. If exploited, this vulnerability could enable attackers to compromise data confidentiality and integrity, potentially leading to violations of these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35453. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart