CVE-2026-40296
Stored XSS in PhpSpreadsheet HTML Export
Publication date: 2026-05-06
Last updated on: 2026-05-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpoffice | phpspreadsheet | to 1.30.4 (exc) |
| phpoffice | phpspreadsheet | From 2.0.0 (inc) to 2.1.16 (exc) |
| phpoffice | phpspreadsheet | From 2.2.0 (inc) to 2.4.5 (exc) |
| phpoffice | phpspreadsheet | From 3.3.0 (inc) to 3.10.5 (exc) |
| phpoffice | phpspreadsheet | From 4.0.0 (inc) to 5.7.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PhpSpreadsheet, a PHP library used for reading and writing spreadsheet files. The issue occurs in the HTML writer component, which skips htmlspecialchars escaping when a cell's formatted value differs from its original value.
Specifically, when a cell uses a custom number format containing the text placeholder '@' along with additional literal characters (such as '. @', '@ ', or 'x@'), the formatter replaces '@' with the cell value and adds the extra characters. This causes the formatted value to differ from the original, bypassing HTML escaping entirely.
An attacker who can control both the cell value and the number format in an uploaded spreadsheet that is later converted to HTML and displayed to other users can exploit this to achieve stored cross-site scripting (XSS).
This vulnerability is fixed in PhpSpreadsheet versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.
How can this vulnerability impact me? :
This vulnerability can lead to stored cross-site scripting (XSS) attacks if an attacker can upload a malicious spreadsheet with crafted cell values and number formats.
When the spreadsheet is converted to HTML and displayed to other users, the malicious script can execute in their browsers, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or deliver malware.
The impact includes compromised user accounts, data theft, and potential disruption of service or unauthorized actions within the affected application.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade PhpSpreadsheet to one of the fixed versions: 5.7.0, 3.10.5, 2.4.5, 2.1.16, or 1.30.4.
Avoid using or accepting spreadsheet files that contain custom number formats with the text placeholder @ combined with additional literal characters, as this can lead to bypassing HTML escaping and enable stored cross-site scripting.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute stored cross-site scripting (XSS) by controlling cell values and number formats in uploaded spreadsheets that are later converted to HTML and viewed by other users.
Such XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, or other malicious actions that may compromise the confidentiality and integrity of information.
This can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and attacks.