CVE-2026-40296
Analyzed Analyzed - Analysis Complete
Stored XSS in PhpSpreadsheet HTML Export

Publication date: 2026-05-06

Last updated on: 2026-05-11

Assigner: GitHub, Inc.

Description
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional literal characters (for example ". @", "@ ", or "x@"), the formatter replaces @ with the cell value and adds the extra characters, causing the formatted value to differ from the original and bypassing HTML escaping entirely. An attacker who can control the cell value and number format of an uploaded spreadsheet that is later converted to HTML and displayed to other users can achieve stored cross-site scripting. This issue is fixed in versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-06
Last Modified
2026-05-11
Generated
2026-06-16
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40296
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
phpoffice phpspreadsheet to 1.30.4 (exc)
phpoffice phpspreadsheet From 2.0.0 (inc) to 2.1.16 (exc)
phpoffice phpspreadsheet From 2.2.0 (inc) to 2.4.5 (exc)
phpoffice phpspreadsheet From 3.3.0 (inc) to 3.10.5 (exc)
phpoffice phpspreadsheet From 4.0.0 (inc) to 5.7.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to execute stored cross-site scripting (XSS) by controlling cell values and number formats in uploaded spreadsheets that are later converted to HTML and viewed by other users.

Such XSS vulnerabilities can lead to unauthorized access to user data, session hijacking, or other malicious actions that may compromise the confidentiality and integrity of information.

This can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and attacks.

Executive Summary

This vulnerability exists in PhpSpreadsheet, a PHP library used for reading and writing spreadsheet files. The issue occurs in the HTML writer component, which skips htmlspecialchars escaping when a cell's formatted value differs from its original value.

Specifically, when a cell uses a custom number format containing the text placeholder '@' along with additional literal characters (such as '. @', '@ ', or 'x@'), the formatter replaces '@' with the cell value and adds the extra characters. This causes the formatted value to differ from the original, bypassing HTML escaping entirely.

An attacker who can control both the cell value and the number format in an uploaded spreadsheet that is later converted to HTML and displayed to other users can exploit this to achieve stored cross-site scripting (XSS).

This vulnerability is fixed in PhpSpreadsheet versions 5.7.0, 3.10.5, 2.4.5, 2.1.16, and 1.30.4.

Impact Analysis

This vulnerability can lead to stored cross-site scripting (XSS) attacks if an attacker can upload a malicious spreadsheet with crafted cell values and number formats.

When the spreadsheet is converted to HTML and displayed to other users, the malicious script can execute in their browsers, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, or deliver malware.

The impact includes compromised user accounts, data theft, and potential disruption of service or unauthorized actions within the affected application.

Mitigation Strategies

To mitigate this vulnerability, upgrade PhpSpreadsheet to one of the fixed versions: 5.7.0, 3.10.5, 2.4.5, 2.1.16, or 1.30.4.

Avoid using or accepting spreadsheet files that contain custom number formats with the text placeholder @ combined with additional literal characters, as this can lead to bypassing HTML escaping and enable stored cross-site scripting.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40296. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart