CVE-2026-40863
Analyzed
Analyzed - Analysis Complete
BaseFortify
Vulnerability report for CVE-2026-40863, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-05-12
Last updated on: 2026-05-13
Assigner: GitHub, Inc.
Description
Description
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the SpreadsheetML XML reader (Reader\Xml) does not validate the ss:Index row attribute against the maximum allowed row count (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a SpreadsheetML XML file with ss:Index="999999999" on a <Row> element, which inflates the internal cachedHighestRow to ~1 billion. Any subsequent call to getRowIterator() without an explicit end row will attempt to iterate ~1 billion rows, causing CPU exhaustion and denial of service. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpoffice | phpspreadsheet | to 1.30.4 (exc) |
| phpoffice | phpspreadsheet | From 2.0.0 (inc) to 2.1.16 (exc) |
| phpoffice | phpspreadsheet | From 2.2.0 (inc) to 2.4.5 (exc) |
| phpoffice | phpspreadsheet | From 3.3.0 (inc) to 3.10.5 (exc) |
| phpoffice | phpspreadsheet | From 4.0.0 (inc) to 5.7.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
