CVE-2026-40902
Analyzed
Analyzed - Analysis Complete
BaseFortify
Publication date: 2026-05-12
Last updated on: 2026-05-14
Assigner: GitHub, Inc.
Description
Description
PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. Prior to 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0, the XLSX reader's ColumnAndRowAttributes::readRowAttributes() method reads row numbers from XML attributes without validating them against the spreadsheet maximum row limit (AddressRange::MAX_ROW = 1,048,576). An attacker can craft a minimal XLSX file (~1.6KB) containing a <row r="999999999"/> element that inflates cachedHighestRow to 999,999,999, causing any subsequent row iteration to attempt ~1 billion loop cycles and exhaust CPU resources. This vulnerability is fixed in 1.30.4, 2.1.16, 2.4.5, 3.10.5, and 5.7.0.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| phpoffice | phpspreadsheet | to 1.30.4 (exc) |
| phpoffice | phpspreadsheet | From 2.0.0 (inc) to 2.1.16 (exc) |
| phpoffice | phpspreadsheet | From 2.2.0 (inc) to 2.4.5 (exc) |
| phpoffice | phpspreadsheet | From 3.3.0 (inc) to 3.10.5 (exc) |
| phpoffice | phpspreadsheet | From 4.0.0 (inc) to 5.7.0 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70